On 09/15/2015 01:37 PM, Jakub Hrozek wrote:
>On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:
>>On Tue, 15 Sep 2015, Molnár Domokos wrote:
>>>>#hostnamectl set-hostname nappali.silva on modern systems.
>>>>>doma@nappali:/home/doma> hostname --fqdn nappali.szilva
>>>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl
>>>set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva
>>>nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su
>>>doma sh-4.2$ sudo ls doma's password: 20140921.ZIP
>>>42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is
>>>matched.I'm not sure this is the intended way especially seeing the fqdn
>>>mechanism in the sudo code but I'll just keep it that way.Thank you.
>>sudo doesn't do normalization and IPA's way of exposing host names is
>>by using by default fqdn. So sudo compares local hostname with fqdn-based
>>one, guess which way it will succeed? You theoretically could have every
>>hostname in IPA registered non-fqdn but what you cannot have is a mix between
>>fqdn- and non-fqdn names.
>You can have registered a different hostname with IPA than what hostname(1)
>reports, we have an ipa_hostname parameter for that. But there's no way
>for sudo to learn about it..
You may well be right but I still think this is a bug in sudo/sssd plugin.
Here's why I think so:
@line 582 in sssd.c when calling hostname_matches it is a clear intention of
the code that the hostname matching is done both against the fqdn and the naked
@lines 773-790 the implementation of hostname_matches(..) is done correctly. It
guesses intelligently and chooses to match either against the fqdn or the naked
hostname based on the format of the hostname provided by IPA. If there is a
'.' in the IPA provided hostname name then the hostname compared to the
fqdn otherwise it is compared to the bare hostname.
@line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host
during initialization - so sudo is indeed aware of both host name versions. I
tested this part it it works OK.
The bug - I think - is that the information correctly retrieved during init
through set_fqdn in sudoers.c somehow does not make its way to line 582 in
sssd.c. There both user_shost and user_host seem to contain the naked hostname
unless the bare hostaname contains the fqdn itself.
I do not have enough time to find out why this happens but the above evidence
suggests that there is a bug somewhere in the process.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project