Bug 170023 - sudo does not properly recognize network addresses specified in sudoers
sudo does not properly recognize network addresses specified in sudoers
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sudo (Show other bugs)
4.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
: 180342 185098 200899 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-06 12:47 EDT by Rodney Rutherford
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-11 16:42:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Rodney Rutherford 2005-10-06 12:47:47 EDT
Description of problem:

The sudo version(s) on RHEL 4 does not properly recognize network addresses
for specifying a host.

Version-Release number of selected component (if applicable):

version 1.6.7p5 release 30.1.1
version 1.6.7p5 release 30.1.3

How reproducible:

100% of the time

Steps to Reproduce:

Test with sudoers config of just single line:

<username>     <network address> = ALL

Actual results:

<user> is not allowed to run sudo on <host>

Expected results:

user should be allowed

Additional info:

I have been using several sudoers configs for some time now on all types
of unix hosts in our environment.  However, when I tried making it more
granular, I found that it does not work properly on RHEL 4.0 systems
with the default Red Hat sudo implementation.

I have stripped the sudoers config down to just the basics for troubleshooting:
(actual subnet addresses/hostname/username not listed to protect the guilty...)

        Host_Alias      MYHOSTS = <subnet>/24

        User_Alias      ADMINS = myadmin

        ADMINS          MYHOSTS = ALL

And finally its simplest form:

        myadmin        <subnet>/24 = ALL

It always fails to allow sudo access:

        myadmin is not allowed to run sudo on <host>...

I have tried all variations on the network address with no luck, for example:

        192.168.1.93
        192.168.1.0
        192.168.1.0/24
        192.168.1.0/255.255.255.0

However, if I specify the hostname it works fine:

        myadmin        myhost = ALL

As does the default config of:

        myadmin        ALL = ALL

I have tested this on RHEL 4.0, RHEL 4.0U1, and also an updated
RHEL 4.0 box that was fully updated as of today via up2date.

        Linux myhost 2.6.9-11.ELsmp #1 SMP Fri May 20 18:26:27 EDT 2005 i686
i686 i386 GNU/Linux
        sudo version 1.6.7p5 release 30.1.1 and release 30.1.3

        Linux myhost 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686
i686 i386 GNU/Linux
        sudo version 1.6.7p5 release 30.1.1 and release 30.1.3

I then downloaded the latest sudo source from courtesan and did a
default compile and install of it on my system, and it works fine on RHEL 4:

        Linux myhost 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686
i686 i386 GNU/Linux
        Sudo version 1.6.8p9

It also works fine on RHEL 3.x, as well as lots of other OSes/sudo combinations:

        RHEL WS 3.0 Kernel 2.4.21-9.0.1.ELsmp - sudo version 1.6.7p5 release 1.2
        RHEL WS 3.0U4 Kernel 2.4.21-27.ELsmp - sudo 1.6.7p5 release 1
        HP-UX B.11.11 - Sudo version 1.6.8p1
        IRIX64 6.5.25m - Sudo version 1.6.6
        Solaris 8 - Sudo version 1.6.8p9
        Solaris 9 - Sudo version 1.6.8p9

So it appears to be a problem specific to the RHEL 4 implementation of sudo.
Comment 1 Karel Zak 2005-10-07 19:06:58 EDT
Good catch. It's a problem in sudo SELinux patch :-(
Comment 2 Karel Zak 2005-10-11 05:57:51 EDT
Sorry, but after investigation I have to say that it's limitation of selinux.
The sudo package in RHEL4 is compiled with "--without-interfaces" option and
load information about interface is completely disabled.

The limitation is not discribed in the sudo man page. It's bug that should be fixed.

This limitation will be probably removed in RHEL5 and FC5.
Comment 4 Rodney Rutherford 2005-10-11 16:09:31 EDT
Bummer, since it significantly cripples sudo and/or requires lots of bloat
to achieve the equivelent in sudoers.

I certainly hope it is removed  in RHEL 5.  In the meantime I will just have
to run my own compiled version.  (I have selinux currently disabled due to
other requirements, no idea of a regular compile of sudo works with selinux
enabled.)

Thanks,

Rodney
Comment 5 Karel Zak 2005-10-11 16:40:39 EDT
Note that sudo selinux support is Red Hat specific patch. The upstream version
is without selinux. The problem has been fixed in development branch (FC5).
Comment 6 Karel Zak 2006-02-07 10:30:55 EST
*** Bug 180342 has been marked as a duplicate of this bug. ***
Comment 7 Karel Zak 2006-03-10 15:56:47 EST
*** Bug 185098 has been marked as a duplicate of this bug. ***
Comment 11 Peter Vrabec 2006-08-03 04:19:45 EDT
*** Bug 200899 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.