-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Martin Kosek Sent: Thursday, January 08, 2015 5:30 AM To: Pavel Březina; [email protected] Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
On 01/08/2015 10:45 AM, Pavel Březina wrote: > On 01/07/2015 06:32 PM, Craig White wrote: >> Still struggling with this... >> >> $ sudo /sbin/service pe-puppet restart >> [sudo] password for rundeck: >> Stopping puppet: [ OK ] >> Starting puppet: [ OK ] >> >> So it asks for the password even though, via FreeIPA it isn't required... >> >> $ sudo -l >> Matching Defaults entries for rundeck on this host: >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User rundeck may run the following commands on this host: >> (root) ALL >> (ALL) NOPASSWD: ALL > > Hi, > thank you, I was just going to ask you for sudo -l. I believe that the > problem is that (root) ALL rule takes precedence. Or to be more > precise, the first rule that matches is always applied, unless > sudoOrder attribute is present (but that is not supported by IPA, is it?). JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). ---- I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package. $ rpm -q ipa-server ipa-server-3.0.0-42.el6.x86_64 $ cat sudoOrder.ldif dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: sudoOrder=%{sudoOrder} $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f sudoOrder.ldif Enter LDAP Password: modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" ldap_modify: No such object (32) additional info: Range Check error bummer :-( $ ldapsearch -x -h `hostname` -D cn="directory manager" -W -b cn=plugins,cn=config '(cn=sudoers)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=plugins,cn=config> with scope subtree # filter: (cn=sudoers) # requesting: ALL # # sudoers, Schema Compatibility, plugins, config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=sudoRole schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex ternalUser}") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ "uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex ternalHost}") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr y))\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref(\"memberAllowCmd\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", "sudoCmd") schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") ") schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o bjectclass=posixGroup)","cn") cn: sudoers objectClass: top objectClass: extensibleObject schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE ))(!(ipaEnabledFlag=FALSE))) schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn }") schema-compat-search-base: cn=sudorules, cn=sudo, dc=stt-internal,dc=local schema-compat-container-group: ou=SUDOers, dc=stt-internal,dc=local # search result search: 2 result: 0 Success Any hope for me to make this happen on this version or did I just commit to having Puppet manage /etc/sudoers on all of the systems? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
