-----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Thursday, January 08, 2015 9:33 AM To: Craig White; Martin Kosek; Pavel Březina; [email protected] Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
Craig White wrote: > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Martin Kosek > Sent: Thursday, January 08, 2015 5:30 AM > To: Pavel Březina; [email protected] > Subject: Re: [Freeipa-users] sudo !requiretty !authenticate > > On 01/08/2015 10:45 AM, Pavel Březina wrote: >> On 01/07/2015 06:32 PM, Craig White wrote: >>> Still struggling with this... >>> >>> $ sudo /sbin/service pe-puppet restart >>> [sudo] password for rundeck: >>> Stopping puppet: [ OK ] >>> Starting puppet: [ OK ] >>> >>> So it asks for the password even though, via FreeIPA it isn't required... >>> >>> $ sudo -l >>> Matching Defaults entries for rundeck on this host: >>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL >>> PS1 >>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User rundeck may run the following commands on this host: >>> (root) ALL >>> (ALL) NOPASSWD: ALL >> >> Hi, >> thank you, I was just going to ask you for sudo -l. I believe that >> the problem is that (root) ALL rule takes precedence. Or to be more >> precise, the first rule that matches is always applied, unless >> sudoOrder attribute is present (but that is not supported by IPA, is it?). > > JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream > ticket https://fedorahosted.org/freeipa/ticket/4107). > > ---- > I see said the blind man. Obviously the root/ALL rule is part and parcel of > RHEL distribution of sudo package. > > $ rpm -q ipa-server > ipa-server-3.0.0-42.el6.x86_64 > > $ cat sudoOrder.ldif > dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f > sudoOrder.ldif Enter LDAP Password: > modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config" > ldap_modify: No such object (32) > additional info: Range Check error > > bummer :-( You have a typo, suoders instead of sudoers. You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it. ---- Thanks for catching my typo - my bad. This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go. $ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for rundeck: Matching Defaults entries for rundeck on this host: !requiretty User rundeck may run the following commands on this host: (root) ALL (ALL) NOPASSWD: ALL So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now. $ ipa sudorule-show rundeck Rule name: rundeck Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Users: rundeck Sudo Option: !authenticate That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though... $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=sudoers,dc=stt,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # sudoers, stt.local dn: ou=sudoers,dc=stt,dc=local objectClass: extensibleObject ou: sudoers # defaults, sudoers, stt.local dn: cn=defaults,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoOption: !requiretty cn: defaults # rundeck, sudoers, stt.local dn: cn=rundeck,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: rundeck sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL sudoOption: !authenticate cn: rundeck # puppet, sudoers, stt.local dn: cn=puppet,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %puppet sudoHost: +puppet sudoCommand: ALL cn: puppet # sysengineers, sudoers, stt.local dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %sysengineer sudoHost: ALL sudoCommand: ALL cn: sysengineers # sysadmins, sudoers, stt.local dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local objectClass: sudoRole sudoUser: %sysadmin sudoHost: ALL sudoCommand: ALL cn: sysadmins # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
