On 09/15/2015 01:37 PM, Jakub Hrozek wrote: >On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:
>>On Tue, 15 Sep 2015, Molnár Domokos wrote: >>>>#hostnamectl set-hostname nappali.silva on modern systems. >>>>>doma@nappali:/home/doma> hostname --fqdn nappali.szilva >>>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl >>>set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva >>>nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su >>>doma sh-4.2$ sudo ls doma's password: 20140921.ZIP >>>Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack >>>42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is >>>matched.I'm not sure this is the intended way especially seeing the fqdn >>>mechanism in the sudo code but I'll just keep it that way.Thank you. >>sudo doesn't do normalization and IPA's way of exposing host names is >>by using by default fqdn. So sudo compares local hostname with fqdn-based >>one, guess which way it will succeed? You theoretically could have every >>hostname in IPA registered non-fqdn but what you cannot have is a mix between >>fqdn- and non-fqdn names. >You can have registered a different hostname with IPA than what hostname(1) >reports, we have an ipa_hostname parameter for that. But there's no way >for sudo to learn about it.. You may well be right but I still think this is a bug in sudo/sssd plugin. Here's why I think so: @line 582 in sssd.c when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname. @lines 773-790 the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname. @line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK. The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself. I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project