Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 885105 - sudo denies access with disabled ldap_sudo_use_host_filter
Summary: sudo denies access with disabled ldap_sudo_use_host_filter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 888457
TreeView+ depends on / blocked
 
Reported: 2012-12-07 14:19 UTC by Nikolai Kondrashov
Modified: 2020-05-02 17:09 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.2-45.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:42:27 UTC
Target Upstream Version:


Attachments (Terms of Use)
sudo_host_filter_test.ldif (3.06 KB, text/plain)
2012-12-07 14:22 UTC, Nikolai Kondrashov
no flags Details
sssd.conf (533 bytes, text/plain)
2012-12-07 14:22 UTC, Nikolai Kondrashov
no flags Details
sssd_LDAP.log (78.71 KB, text/plain)
2012-12-07 14:23 UTC, Nikolai Kondrashov
no flags Details
sssd_sudo.log (13.71 KB, text/plain)
2012-12-07 14:23 UTC, Nikolai Kondrashov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2743 0 None closed sudo denies access with disabled ldap_sudo_use_host_filter 2020-09-28 13:56:06 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Nikolai Kondrashov 2012-12-07 14:19:26 UTC
Description of problem:
sudo denies access when ldap_sudo_use_host_filter is disabled. Also, it seems the "defaults" entry is ignored.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-34.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-34.el6.x86_64
sssd-1.9.2-34.el6.x86_64
libsss_sudo-1.9.2-34.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use the attached "sudo_host_filter_test.ldif" file to fill LDAP directory.
2. Use the attached "sssd.conf" file as the base for SSSD configuration.
3. Execute "su -c 'sudo -u user2 true' user1 && echo allowed || echo denied" as root.
  
Actual results:
sudo: no tty present and no askpass program specified
denied

Expected results:
allowed

Comment 1 Nikolai Kondrashov 2012-12-07 14:22:02 UTC
Created attachment 659393 [details]
sudo_host_filter_test.ldif

Comment 2 Nikolai Kondrashov 2012-12-07 14:22:31 UTC
Created attachment 659394 [details]
sssd.conf

Comment 3 Nikolai Kondrashov 2012-12-07 14:23:16 UTC
Created attachment 659395 [details]
sssd_LDAP.log

Comment 4 Nikolai Kondrashov 2012-12-07 14:23:46 UTC
Created attachment 659396 [details]
sssd_sudo.log

Comment 6 Jakub Hrozek 2012-12-07 15:57:20 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1701

Comment 8 Nikolai Kondrashov 2012-12-16 12:45:58 UTC
Verified fixed with the following packages:

sssd-1.9.2-45.el6.x86_64
sssd-client-1.9.2-45.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-45.el6.x86_64
libsss_sudo-1.9.2-45.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: host_filter_off

Comment 9 errata-xmlrpc 2013-02-21 09:42:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.