1671138 – User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so

Bug 1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so

Summary: User is unable to perform sudo as a user on IPA Server, even though `sudo -l`...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-30 20:44 UTC by Josip Vilicic
Modified:	2020-05-02 19:06 UTC (History)
CC List:	15 users (show)
Fixed In Version:	sssd-1.16.4-6.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:02:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4931	0	None	None	None	2020-05-02 19:06:33 UTC
Red Hat Product Errata	RHSA-2019:2177	0	None	None	None	2019-08-06 13:03:05 UTC

Comment 4 Jakub Hrozek 2019-01-31 08:46:19 UTC

Pavel, can you take a look, please?

Comment 8 Pavel Březina 2019-02-15 10:03:10 UTC

Thank you for the date. I can reproduce this issue.

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3957

Comment 12 Jakub Hrozek 2019-03-13 22:15:47 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3957

Comment 13 Jakub Hrozek 2019-03-27 20:46:25 UTC

* master:
  * 0aa6571
  * d411feb
* sssd-1-16:
  * 3a18e33
  * 5ad7f5e

Comment 15 Sergey Orlov 2019-06-05 09:35:56 UTC

Fix verified with nightly build of RHEL 7.7
# rpm -q sssd-common
sssd-common-1.16.4-19.el7.x86_64

Verified using steps in upstream ticket https://pagure.io/SSSD/sssd/issue/3957:
* define domain resolution order:
  ipa config-mod --domain-resolution-order testrelm.test
* create test users: 
  ipa user-add user1 --first a --last b
  ipa user-add user2 --first a --last b
* create sudo rule:
  ipa sudorule-add testrule --hostcat=all --cmdcat=all --usercat=all
  ipa sudorule-add-runasuser testrule --users testuser2
* clear sssd cache:
  rm -rf /var/lib/sss/{db,mc}/*  
  systemctl restart sssd
* check allowed commands list for testuser1:
# su testuser1 -c 'sudo -l'
Matching Defaults entries for testuser1 on client1:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !authenticate

User testuser1 may run the following commands on client1:
    (testuser2) ALL

* execute command by testuser1 as testuser2:
# su testuser1 -c "sudo -u testuser2 echo OK"
OK


Also checked that with sssd version 1.16.4-5.el7 last step expectedly fails with message
"Sorry, user testuser1 is not allowed to execute '/bin/echo OK' as testuser2 on client1.testrelm.test."

Comment 16 Florence Blanc-Renaud 2019-07-16 09:16:52 UTC

Automated test added in freeipa upstream workspace:  ipatests/test_integration/test_sudo.py::test_domain_resolution_order

Comment 18 errata-xmlrpc 2019-08-06 13:02:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2177

Note You need to log in before you can comment on or make changes to this bug.