761573 – [RFE] Integrate with SUDO utility

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 761573 - [RFE] Integrate with SUDO utility

Summary: [RFE] Integrate with SUDO utility

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:	759480 971009
Blocks:	736854 782183 840699
TreeView+	depends on / blocked

Reported:	2011-12-08 16:14 UTC by Jakub Hrozek
Modified:	2020-05-04 10:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.9.1-1.el6
Doc Type:	Enhancement
Doc Text:	Cause: sudo rules can be stored in a centralized identity store such as LDAP and fetched over the network. Consequence: When the network is not reachable, the sudo client cannot use the rules from the centralized source. Change: A new sudo responder was implemented in the SSSD as well as a client library in the sudo itself. The SSSD is able to act as a transparent proxy for serving the sudo rules for the sudo binary, Result: When the centralized sudo rules source is not available, for instance when the network is down, the SSSD is able to fall back to cached rules, providing transparent access to sudo rules from a centralized database.
Clone Of:
Clones:	868943 (view as bug list)
Environment:
Last Closed:	2013-02-21 09:34:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1665	0	None	None	None	2020-05-04 10:30:02 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Jakub Hrozek 2011-12-08 16:14:47 UTC

Description of problem:
Sudo is able to store its rules in LDAP for easier centralization. However, there is no standardized Name Service Switch Interface and sudo does the lookups on its own.

SSSD will create a new responder/provider pair for downloading and caching SUDO data. A new part of Sudors plugin will be developed that will talk to SSSD using a UNIX socket and fetch the data transparently from SSSD.

The benefits include:
* unified configuration of LDAP servers, timeout parameters, DNS SRV lookups, ...
* only one connection to the LDAP server open
* caching of the sudo rules
* offline access

This feature depends on having a sudo version with pluggable support in RHEL.

Comment 1 Jakub Hrozek 2011-12-08 16:16:54 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/623

Comment 5 RHEL Program Management 2012-07-10 07:07:17 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 8 RHEL Program Management 2012-07-11 02:02:58 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 12 Nikolai Kondrashov 2012-11-28 11:29:15 UTC

Mostly works, but there are still some important bugs.

Comment 13 errata-xmlrpc 2013-02-21 09:34:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.