Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP.
Version-Release number of selected component (if applicable):
tested and failed on all RHEL8 and RHEL9
How reproducible:
Everytime
Steps to Reproduce:
1. setup sudo to use sssd, using this ldap data:
# my-domain.com
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: Test server
# Groups, my-domain.com
dn: ou=Groups,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
# admin, People, my-domain.com
dn: cn=admin,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: admin
uidNumber: 11001
gidNumber: 21001
homeDirectory: /home/admin
loginShell: /bin/bash
uid: admin
userPassword:: eA==
# admin, Groups, my-domain.com
dn: cn=admin,ou=Groups,dc=my-domain,dc=com
gidNumber: 21001
objectClass: top
objectClass: posixGroup
cn: 21001
cn: admin
# userallowed, People, my-domain.com
dn: cn=userallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: userallowed
uidNumber: 10001
gidNumber: 20001
homeDirectory: /home/userallowed
loginShell: /bin/bash
uid: userallowed
userPassword:: eA==
# groupallowed, Groups, my-domain.com
dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20001
objectClass: top
objectClass: posixGroup
cn: groupallowed
# usernotallowed, People, my-domain.com
dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: usernotallowed
uidNumber: 10002
gidNumber: 20002
homeDirectory: /home/usernotallowed
loginShell: /bin/bash
uid: usernotallowed
userPassword:: eA==
# groupnotallowed, Groups, my-domain.com
dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20002
objectClass: top
objectClass: posixGroup
cn: groupnotallowed
# Sudoers, my-domain.com
dn: ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers
# defaults, Sudoers, my-domain.com
dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !authenticate
sudoOption: !requiretty
2. add one of the following rules to the ldap data:
a) in order to test sudoHost with IPV6, add this rule:
# rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008
b) in order to test sudoHost with IPV6 with mask, add this rule:
# rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: FD6D:8D64:AF0C::/72
c) in order to test sudoHost with IPV4 with mask, add this rule:
# rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: 192.168.10.0/26
3. check it with following command:
$ su - userallowed -c 'sudo true'
Actual results:
Gets generic error - exit status 1
Expected results:
userallowed is allowed to run sudo on this host - exit status 0
Additional info:
Description of problem: Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP. Version-Release number of selected component (if applicable): tested and failed on all RHEL8 and RHEL9 How reproducible: Everytime Steps to Reproduce: 1. setup sudo to use sssd, using this ldap data: # my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: Test server # Groups, my-domain.com dn: ou=Groups,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: Groups # People, my-domain.com dn: ou=People,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: People # admin, People, my-domain.com dn: cn=admin,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: admin uidNumber: 11001 gidNumber: 21001 homeDirectory: /home/admin loginShell: /bin/bash uid: admin userPassword:: eA== # admin, Groups, my-domain.com dn: cn=admin,ou=Groups,dc=my-domain,dc=com gidNumber: 21001 objectClass: top objectClass: posixGroup cn: 21001 cn: admin # userallowed, People, my-domain.com dn: cn=userallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: userallowed uidNumber: 10001 gidNumber: 20001 homeDirectory: /home/userallowed loginShell: /bin/bash uid: userallowed userPassword:: eA== # groupallowed, Groups, my-domain.com dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20001 objectClass: top objectClass: posixGroup cn: groupallowed # usernotallowed, People, my-domain.com dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: usernotallowed uidNumber: 10002 gidNumber: 20002 homeDirectory: /home/usernotallowed loginShell: /bin/bash uid: usernotallowed userPassword:: eA== # groupnotallowed, Groups, my-domain.com dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20002 objectClass: top objectClass: posixGroup cn: groupnotallowed # Sudoers, my-domain.com dn: ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, my-domain.com dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: !authenticate sudoOption: !requiretty 2. add one of the following rules to the ldap data: a) in order to test sudoHost with IPV6, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008 b) in order to test sudoHost with IPV6 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C::/72 c) in order to test sudoHost with IPV4 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: 192.168.10.0/26 3. check it with following command: $ su - userallowed -c 'sudo true' Actual results: Gets generic error - exit status 1 Expected results: userallowed is allowed to run sudo on this host - exit status 0 Additional info: