Re: [Freeipa-users] (no subject)

Fri, 09 Oct 2015 04:41:40 -0700 

On 10/09/2015 01:36 PM, Karl Forner wrote:

Ok, that was it:
sssd Version: 1.12.5-1~trusty1

I inverted the sudoOrders:
sudo -l
Matching Defaults entries for karl on xxxx:
     env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on xxxx:
     (ALL) NOPASSWD: /usr/bin/less
     (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
     (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
/bin/chmod -R g[+-]* *
     (ALL) ALL
     (ALL) ALL


and I can use sudo less without password.

Thanks a lot.
Thanks. Please, keep in mind that we changed the default to the correct order in sssd 1.13.1. Therefore if you update sssd you will either have to invert the order again or set sudo_inverse_order = true in [sudo] in /etc/sssd/sssd.conf. 




On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote:

On 10/08/2015 04:26 PM, Karl Forner wrote:


Hi,



you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.



Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
      env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on xxxx:
      (ALL) ALL
      (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
      (ALL) ALL
      (ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less
/usr/bin/less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?

Regards,
Karl



Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682

where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to