Bug 1657496 - sudo ipa_hostname not honored
Summary: sudo ipa_hostname not honored
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: 29
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Radovan Sroka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1738662
TreeView+ depends on / blocked
 
Reported: 2018-12-09 15:58 UTC by Magnus W
Modified: 2019-08-16 12:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1738662 (view as bug list)
Environment:
Last Closed: 2019-08-16 12:12:14 UTC


Attachments (Terms of Use)

Description Magnus W 2018-12-09 15:58:05 UTC
Description of problem:

Failure to sudo after upgrading to sudo-1.8.25-1.fc29.x86_64 (from sudo-1.8.23-3.fc29.x86_64). The setup is using
FreeIPA and sssd with configured sudo rules based on hostnames. The "ipa_hostname" option in sssd.conf is expected to override the machine's hostname when doing host matching.     

Version-Release number of selected component (if applicable):

sudo-1.8.25-1.fc29.x86_64
sssd-2.0.0-4.fc29.x86_64

How reproducible:

always

Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:

	[domain/example.com]

	id_provider = ipa
	ipa_server = _srv_, ipaserver.example.com
	ipa_domain = example.com
	ipa_hostname = client01.example.com
	auth_provider = ipa
	chpass_provider = ipa
	access_provider = ipa
	cache_credentials = True
	ldap_tls_cacert = /etc/ipa/ca.crt
	krb5_store_password_if_offline = True
	[sssd]
	services = nss, pam, ssh, sudo
	domains = example.com
	...
3. Configure sudo rules on ipaserver.example.com to allow sudo for user01 only on server 'client01.example.com'

4. 	[user01@client01]# hostname
	client01

Actual results:

   [user01@client01]# sudo -l
   Sorry, user user01 may not run sudo on client01.
  

Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.

The following is logged when enabling sudo debug-logs:

Dec  8 17:16:47 sudo[2366] ipa_hostname client01.example.com overrides client01
Dec  8 17:16:47 sudo[2366] <- get_ipa_hostname @ ./sssd.c:158 := 1
...
Dec  8 17:16:47 sudo[2366] host client01 matches sudoers pattern client01.example.com: false @ hostname_matches() ./match.c:1013
...

Even though the ipa_hostname override is picked up by sudo, it doesn't seem to be used when matching against the host rules provided by sssd.

When downgrading to sudo-1.8.23-3.fc29.x86_64 (everything else is the same on the system), the logs instead shows:

host client01.example.com matches sudoers pattern client01.example.com: true @ hostname_matches() ./match.c:997
Dec  8 20:09:42 sudo[25342] <- hostname_matches @ ./match.c:998 := true
Dec  8 20:09:42 sudo[25342] sssd/ldap sudoHost 'client01.example.com' ... MATCH!

..and the sudo is successful.

Something might be incorrect with my configuration, but it seems that sudo 1.8.23 and 1.8.25 behaves differently here.

Comment 2 Radovan Sroka 2019-08-16 12:12:14 UTC
Fixed in:

https://www.sudo.ws/repos/sudo/rev/b4f31dbe3109


Note You need to log in before you can comment on or make changes to this bug.