On 09/15/2015 01:37 PM, Jakub Hrozek wrote:
>On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:

>>On Tue, 15 Sep 2015, Molnár Domokos wrote:

>>>>#hostnamectl set-hostname nappali.silva on modern systems.

>>>>>doma@nappali:/home/doma> hostname --fqdn nappali.szilva

>>>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl 
>>>set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva 
>>>nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su 
>>>doma sh-4.2$ sudo ls doma's password: 20140921.ZIP 
>>>42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is 
>>>matched.I'm not sure this is the intended way especially seeing the fqdn 
>>>mechanism in the sudo code but I'll just keep it that way.Thank you.

>>sudo doesn't do normalization and IPA's way of exposing host names is 
>>by using by default fqdn. So sudo compares local hostname with fqdn-based 
>>one, guess which way it will succeed? You theoretically could have every 
>>hostname in IPA registered non-fqdn but what you cannot have is a mix between 
>>fqdn- and non-fqdn names.

>You can have registered a different hostname with IPA than what hostname(1) 
>reports, we have an ipa_hostname parameter for that. But there's no way 
>for sudo to learn about it..
You may well be right but I still think this is a bug in sudo/sssd plugin. 
Here's why I think so:

@line  582 in sssd.c when calling hostname_matches it is a clear intention of 
the code that the hostname matching is done both against the fqdn and the naked 

@lines 773-790 the implementation of hostname_matches(..) is done correctly. It 
guesses intelligently and chooses to match either against the fqdn or the naked 
hostname based on the format of the hostname provided by IPA. If there is a 
'.' in the IPA provided hostname name then the hostname compared to the 
fqdn otherwise it is compared to the bare hostname.

@line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host 
during initialization - so sudo is indeed aware of both host name versions. I 
tested this part it it works OK.

The bug - I think - is that the information correctly retrieved during init 
through set_fqdn in sudoers.c somehow does not make its way to line 582 in 
sssd.c. There both user_shost and user_host seem to contain the naked hostname 
unless the bare hostaname contains the fqdn itself.

I do not have enough time to find out why this happens but the above evidence 
suggests that there is a bug somewhere in the process.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to