2121523 – SudoHost entry does not work via SSSD provider

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2121523 - SudoHost entry does not work via SSSD provider

Summary: SudoHost entry does not work via SSSD provider

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sudo
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Radovan Sroka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-25 18:11 UTC by nbubakov
Modified:	2023-08-16 08:56 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2121524 (view as bug list)
Environment:
Last Closed:	2023-08-16 08:56:09 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-1344	None	None	None	2023-08-16 08:56:08 UTC
Red Hat Issue Tracker	RHELPLAN-132366	None	None	None	2022-08-25 18:21:33 UTC
Red Hat Issue Tracker	SECENGSP-4736	None	None	None	2022-08-25 18:21:36 UTC

Description nbubakov 2022-08-25 18:11:52 UTC

Description of problem:
Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP.

Version-Release number of selected component (if applicable):
tested and failed on all RHEL8 and RHEL9

How reproducible:
Everytime

Steps to Reproduce:
1. setup sudo to use sssd, using this ldap data:

  # my-domain.com
  dn: dc=my-domain,dc=com
  objectClass: dcObject
  objectClass: organization
  dc: my-domain
  o: Test server

  # Groups, my-domain.com
  dn: ou=Groups,dc=my-domain,dc=com
  objectClass: top
  objectClass: organizationalunit
  ou: Groups

  # People, my-domain.com
  dn: ou=People,dc=my-domain,dc=com
  objectClass: top
  objectClass: organizationalunit
  ou: People

  # admin, People, my-domain.com
  dn: cn=admin,ou=People,dc=my-domain,dc=com
  objectClass: top
  objectClass: account
  objectClass: posixAccount
  cn: admin
  uidNumber: 11001
  gidNumber: 21001
  homeDirectory: /home/admin
  loginShell: /bin/bash
  uid: admin
  userPassword:: eA==

  # admin, Groups, my-domain.com
  dn: cn=admin,ou=Groups,dc=my-domain,dc=com
  gidNumber: 21001
  objectClass: top
  objectClass: posixGroup
  cn: 21001
  cn: admin

  # userallowed, People, my-domain.com
  dn: cn=userallowed,ou=People,dc=my-domain,dc=com
  objectClass: top
  objectClass: account
  objectClass: posixAccount
  cn: userallowed
  uidNumber: 10001
  gidNumber: 20001
  homeDirectory: /home/userallowed
  loginShell: /bin/bash
  uid: userallowed
  userPassword:: eA==

  # groupallowed, Groups, my-domain.com
  dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com
  gidNumber: 20001
  objectClass: top
  objectClass: posixGroup
  cn: groupallowed

  # usernotallowed, People, my-domain.com
  dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com
  objectClass: top
  objectClass: account
  objectClass: posixAccount
  cn: usernotallowed
  uidNumber: 10002
  gidNumber: 20002
  homeDirectory: /home/usernotallowed
  loginShell: /bin/bash
  uid: usernotallowed
  userPassword:: eA==

  # groupnotallowed, Groups, my-domain.com
  dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com
  gidNumber: 20002
  objectClass: top
  objectClass: posixGroup
  cn: groupnotallowed

  # Sudoers, my-domain.com
  dn: ou=Sudoers,dc=my-domain,dc=com
  objectClass: top
  objectClass: organizationalUnit
  ou: Sudoers

  # defaults, Sudoers, my-domain.com
  dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
  objectClass: top
  objectClass: sudoRole
  cn: defaults
  sudoOption: !authenticate
  sudoOption: !requiretty
    

2. add one of the following rules to the ldap data:

a) in order to test sudoHost with IPV6, add this rule:

  # rule_allow, Sudoers, my-domain.com
  dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
  objectClass: top
  objectClass: sudoRole
  cn: rule_allow
  sudoCommand: ALL
  sudoUser: ALL
  sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008

b) in order to test sudoHost with IPV6 with mask, add this rule:

  # rule_allow, Sudoers, my-domain.com
  dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
  objectClass: top
  objectClass: sudoRole
  cn: rule_allow
  sudoCommand: ALL
  sudoUser: ALL
  sudoHost: FD6D:8D64:AF0C::/72

c) in order to test sudoHost with IPV4 with mask, add this rule:

  # rule_allow, Sudoers, my-domain.com
  dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
  objectClass: top
  objectClass: sudoRole
  cn: rule_allow
  sudoCommand: ALL
  sudoUser: ALL
  sudoHost: 192.168.10.0/26


3. check it with following command:

   $ su - userallowed -c 'sudo true'


Actual results:
Gets generic error - exit status 1


Expected results:
userallowed is allowed to run sudo on this host - exit status 0

Additional info:

Comment 1 Radovan Sroka 2023-08-16 08:56:09 UTC

This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774

Note You need to log in before you can comment on or make changes to this bug.