Re: [Freeipa-users] sudo !requiretty !authenticate

[Pavel Březina]

On 01/08/2015 07:54 PM, Craig White wrote:
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, January 08, 2015 9:33 AM
To: Craig White; Martin Kosek; Pavel Březina; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
Craig White wrote:
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek
Sent: Thursday, January 08, 2015 5:30 AM
To: Pavel Březina; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate

On 01/08/2015 10:45 AM, Pavel Březina wrote:
On 01/07/2015 06:32 PM, Craig White wrote:
Still struggling with this...

$ sudo /sbin/service pe-puppet restart
   [sudo] password for rundeck:
Stopping puppet:                                           [  OK  ]
Starting puppet:                                           [  OK  ]

So it asks for the password even though, via FreeIPA it isn't required...

$ sudo -l
Matching Defaults entries for rundeck on this host:
      requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
      DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
      PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
      LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
      LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
      LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
      secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User rundeck may run the following commands on this host:
      (root) ALL
      (ALL) NOPASSWD: ALL

Hi,
thank you, I was just going to ask you for sudo -l. I believe that
the problem is that (root) ALL rule takes precedence. Or to be more
precise, the first rule that matches is always applied, unless
sudoOrder attribute is present (but that is not supported by IPA, is it?).

JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket 
https://fedorahosted.org/freeipa/ticket/4107).

----
I see said the blind man. Obviously the root/ALL rule is part and parcel of 
RHEL distribution of sudo package.

$ rpm -q ipa-server
ipa-server-3.0.0-42.el6.x86_64

$ cat sudoOrder.ldif
dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: sudoOrder=%{sudoOrder}

$ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f
sudoOrder.ldif Enter LDAP Password:
modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config"
ldap_modify: No such object (32)
         additional info: Range Check error

bummer   :-(

You have a typo, suoders instead of sudoers.

You might also experiment with order in the sudoers entry in 
/etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules 
in files, perhaps drop it.
----
Thanks for catching my typo - my bad.

This is interesting. First tried 'sss files' and then just 'sss' for sudoers in 
nsswitch.conf but no go.

$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

     #1) Respect the privacy of others.
     #2) Think before you type.
     #3) With great power comes great responsibility.

[sudo] password for rundeck:
Matching Defaults entries for rundeck on this host:
     !requiretty

User rundeck may run the following commands on this host:
     (root) ALL
     (ALL) NOPASSWD: ALL

So !authenticate doesn't show up even though I have had the rule in ipa for 2 
days now.

Hi,
!authenticate does show up. It shows up as word NOPASSWD, in the rule list.

$ ipa sudorule-show rundeck
   Rule name: rundeck
   Enabled: TRUE
   Host category: all
   Command category: all
   RunAs User category: all
   RunAs Group category: all
   Users: rundeck
   Sudo Option: !authenticate

That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because 
nsswitch.conf presently only uses sss for sudoers. I still don't see where it 
actually comes from though...


It may come from all of the rules below expect rundeck. What groups is 
the user you are running sudo as member of? If he is member of one of 
the groups puppet, sysadmin, sysengineer that the rules below containing 
sudoCommand: ALL and not containing sudoRunAsUser: ALL shows up as 
(root): ALL.


$ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b 
ou=sudoers,dc=stt,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=stt,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudoers, stt.local
dn: ou=sudoers,dc=stt,dc=local
objectClass: extensibleObject
ou: sudoers

# defaults, sudoers, stt.local
dn: cn=defaults,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoOption: !requiretty
cn: defaults

# rundeck, sudoers, stt.local
dn: cn=rundeck,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: rundeck
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
cn: rundeck

# puppet, sudoers, stt.local
dn: cn=puppet,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %puppet
sudoHost: +puppet
sudoCommand: ALL
cn: puppet

# sysengineers, sudoers, stt.local
dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %sysengineer
sudoHost: ALL
sudoCommand: ALL
cn: sysengineers

# sysadmins, sudoers, stt.local
dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %sysadmin
sudoHost: ALL
sudoCommand: ALL
cn: sysadmins

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project