Bug 200899 - Error detecting user on specific host
Summary: Error detecting user on specific host
Keywords:
Status: CLOSED DUPLICATE of bug 170023
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sudo
Version: 4.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Peter Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-01 14:08 UTC by Robert Fielding
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-03 08:19:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Robert Fielding 2006-08-01 14:08:53 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5

Description of problem:
Whilst developing a single large multi host, multi user sudoers for all our RHEL AS 2.x, 3.x and 4 hosts, it became clear that the sudoers on RHEL AS 4 would not allow users to execute commands where HOST was defined. 

When host := ALL there was no issue.

After hand checking changes and verifying it should work, I installed the script onto a RHEL AS 3 Update 5 box and verified the sudoers was indeed correct.

The sudo binary from a RHEL 3 machine, package sudo-1.6.7p5-1, results in successful operation.

Please see below for a specially crafted version of our sudoers which reproduces this issue.

Here's a test with sudo-1.6.7p5-30.1.3 (moved to sudo.o):

nlfiel$ sudo.o less /var/log/messages
Password:
nlfiel is not allowed to run sudo on XXXXXX.  This incident will be reported.

Here's a test with the sudo binary from sudo-1.6.7p5-1 on the same machine:

nlfiel$ sudo less /var/log/messages
<snip messages output>


 



Version-Release number of selected component (if applicable):
sudo-1.6.7p5-30.1.3

How reproducible:
Always

Steps to Reproduce:
1. See sudoers below, install into /etc/sudoers
2. using a user specified attempt to sudo and execute a command
3. note failure and replace ALLSVR with ALL to use the builtin Alias
4. note success

5. take sudo binary from RPM sudo-1.6.7p5-1
6. repeat with ALLSVR specified
7. note success


Actual Results:  user is not allowed to run sudo on <hostname>

/var/log/messages:

Aug  1 15:20:17 HOSTNAME sudo:   nlfiel : user NOT authorized on host ; TTY=pts/2 ; PWD=/home/nlfiel ; USER=root ; COMMAND=/usr/bin/less /var/log/messages


Expected Results:  In this example, the user specified (nlfiel) in the ACL should be able to access commands (less /var/log/messages) when the host matches those defined by ALLSVR. 

Additional info:

#TEST SCRIPT FOR sudo-1.6.7p5-30.1.3

User_Alias     MANAGER    = %manager,nlfiel

Host_Alias     SVR_DEV_AS = 10.1.1.109
Host_Alias     SVR_DEV_DS = 10.1.1.111
Host_Alias     SVR_DEV_BO = 10.1.1.103
Host_Alias     SVR_DEV    = SVR_DEV_AS, SVR_DEV_DS, SVR_DEV_BO

Host_Alias     ALLSVR     = hosta, hostb, hostc,\
                            SVR_DEV
# service aliases
Cmnd_Alias     CMD_SVCE    = /sbin/service *
Cmnd_Alias     CMD_LOG     = /usr/bin/less /var/log/messages

Defaults           syslog=auth
Defaults:MANAGER    !lecture

MANAGER       ALLSVR = (ALL) PASSWD: CMD_SVCE, CMD_LOG

#END

Comment 1 Peter Vrabec 2006-08-02 10:51:28 UTC
I can't reproduce it with same sudoers. Only change I made is that I had added host vepro.
:-(

# cat /etc/sudoers
# Host alias specification
Host_Alias     SVR_DEV_AS = 10.1.1.109
Host_Alias     SVR_DEV_DS = 10.1.1.111
Host_Alias     SVR_DEV_BO = 10.1.1.103
Host_Alias     SVR_DEV    = SVR_DEV_AS, SVR_DEV_DS, SVR_DEV_BO

Host_Alias     ALLSVR     = hosta, hostb, hostc,\
                            SVR_DEV, vepro

# User alias specification
User_Alias     MANAGER    = %manager,nlfiel

# Cmnd alias specification
Cmnd_Alias     CMD_SVCE    = /sbin/service *
Cmnd_Alias     CMD_LOG     = /usr/bin/less /var/log/messages

Defaults           syslog=auth
Defaults:MANAGER    !lecture

# User privilege specification
root    ALL=(ALL) ALL
MANAGER       ALLSVR = (ALL) PASSWD: CMD_SVCE, CMD_LOG

# rpm -q sudo
sudo-1.6.7p5-30.1.3

# su - nlfiel

[nlfiel@vepro ~]$ sudo less /var/log/messages
Password:
<messages output>


Comment 2 Karel Zak 2006-08-03 08:10:23 UTC
The sudo command in RHEL4 doesn't support work with hosts/ip. It's limitation of
selinux patch. This problem will be fixed in RHEL5 (and has been fixed in FC5
and FC6). See also bug #170023.

Comment 3 Peter Vrabec 2006-08-03 08:19:32 UTC

*** This bug has been marked as a duplicate of 170023 ***


Note You need to log in before you can comment on or make changes to this bug.