Description of problem: The sudo version(s) on RHEL 4 does not properly recognize network addresses for specifying a host. Version-Release number of selected component (if applicable): version 1.6.7p5 release 30.1.1 version 1.6.7p5 release 30.1.3 How reproducible: 100% of the time Steps to Reproduce: Test with sudoers config of just single line: <username> <network address> = ALL Actual results: <user> is not allowed to run sudo on <host> Expected results: user should be allowed Additional info: I have been using several sudoers configs for some time now on all types of unix hosts in our environment. However, when I tried making it more granular, I found that it does not work properly on RHEL 4.0 systems with the default Red Hat sudo implementation. I have stripped the sudoers config down to just the basics for troubleshooting: (actual subnet addresses/hostname/username not listed to protect the guilty...) Host_Alias MYHOSTS = <subnet>/24 User_Alias ADMINS = myadmin ADMINS MYHOSTS = ALL And finally its simplest form: myadmin <subnet>/24 = ALL It always fails to allow sudo access: myadmin is not allowed to run sudo on <host>... I have tried all variations on the network address with no luck, for example: 192.168.1.93 192.168.1.0 192.168.1.0/24 192.168.1.0/255.255.255.0 However, if I specify the hostname it works fine: myadmin myhost = ALL As does the default config of: myadmin ALL = ALL I have tested this on RHEL 4.0, RHEL 4.0U1, and also an updated RHEL 4.0 box that was fully updated as of today via up2date. Linux myhost 2.6.9-11.ELsmp #1 SMP Fri May 20 18:26:27 EDT 2005 i686 i686 i386 GNU/Linux sudo version 1.6.7p5 release 30.1.1 and release 30.1.3 Linux myhost 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux sudo version 1.6.7p5 release 30.1.1 and release 30.1.3 I then downloaded the latest sudo source from courtesan and did a default compile and install of it on my system, and it works fine on RHEL 4: Linux myhost 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux Sudo version 1.6.8p9 It also works fine on RHEL 3.x, as well as lots of other OSes/sudo combinations: RHEL WS 3.0 Kernel 2.4.21-9.0.1.ELsmp - sudo version 1.6.7p5 release 1.2 RHEL WS 3.0U4 Kernel 2.4.21-27.ELsmp - sudo 1.6.7p5 release 1 HP-UX B.11.11 - Sudo version 1.6.8p1 IRIX64 6.5.25m - Sudo version 1.6.6 Solaris 8 - Sudo version 1.6.8p9 Solaris 9 - Sudo version 1.6.8p9 So it appears to be a problem specific to the RHEL 4 implementation of sudo.
Good catch. It's a problem in sudo SELinux patch :-(
Sorry, but after investigation I have to say that it's limitation of selinux. The sudo package in RHEL4 is compiled with "--without-interfaces" option and load information about interface is completely disabled. The limitation is not discribed in the sudo man page. It's bug that should be fixed. This limitation will be probably removed in RHEL5 and FC5.
Bummer, since it significantly cripples sudo and/or requires lots of bloat to achieve the equivelent in sudoers. I certainly hope it is removed in RHEL 5. In the meantime I will just have to run my own compiled version. (I have selinux currently disabled due to other requirements, no idea of a regular compile of sudo works with selinux enabled.) Thanks, Rodney
Note that sudo selinux support is Red Hat specific patch. The upstream version is without selinux. The problem has been fixed in development branch (FC5).
*** Bug 180342 has been marked as a duplicate of this bug. ***
*** Bug 185098 has been marked as a duplicate of this bug. ***
*** Bug 200899 has been marked as a duplicate of this bug. ***