Re: [Freeipa-users] IPA and SSSD sudo
On Wed, Feb 15, 2017 at 02:44:18PM +0100, Troels Hansen wrote: > The same rule works as expected if defined in the local sudoers file. Then I guess this might be a bug.. > > I think the problem is that secure_path in "Options" from IPA isn't taken > into account. options should be treated just as any other attribute, so more or les transparently. Could you run an ldbsearch of the database to check how was the sudo rule stored to the sssd cache? See: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and SSSD sudo
The same rule works as expected if defined in the local sudoers file. I think the problem is that secure_path in "Options" from IPA isn't taken into account. As described, if I add the path to the one i local sudoers the sudo command from IPA works. - On Feb 15, 2017, at 2:38 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Wed, Feb 15, 2017 at 11:04:47AM +0100, Troels Hansen wrote: >> Hi there >> >> We have a strange problem... >> >> We're trying to override options in sudo rules from IPA, in this case >> secure_path: >> >> sudo -ll reports: >> >> RunAsUsers: root >> Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, >> secure_path=/bin:/usr/bin:/usr/local/bin >> Commands: >> stopinst >> /usr/local/bin/stopinst >> /usr/local/bin/startinst >> /bin/mount /rman >> /usr/bin/su - root >> >> /usr/local/bin is also in my local path: >> >> $ echo $PATH >> /usr/local/bin:/usr/bin:/usr/local/sbin.. >> >> For easyness, stopinst is currently quite simple: >> >> $ cat /usr/local/bin/stopinst >> #!/bin/bash >> echo stopinst >> echo "Path: $PATH" >> >> I can execute the script a normal user, using full path or just the command: >> $ stopinst >> stopinst >> Path: >> /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin >> >> However, trying to execute the script using sudo fails: >> $ sudo stopinst >> [sudo] password for drextrha: >> sudo: stopinst: command not found >> >> Unless using full path: >> $ sudo /usr/local/bin/stopinst >> stopinst >> Path: /bin:/usr/bin:/usr/local/bin >> >> Secure path in sudoers is: >> # grep secure_path /etc/sudoers >> Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin >> >> If I change the secure_path in local sudoers to include /usr/local/bin: >> # grep secure_path /etc/sudoers >> Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin >> >> I can execute the command using sudo: >> >> $ sudo stopinst >> stopinst >> Path: /bin:/usr/bin:/usr/local/bin >> >> S.. something gets overwritten somewhere that shouldn't??? > > We shouldn't rewrite anything on the SSSD side. In general, when it > comes to delivering SUDO rules, SSSD should more or less just act as a > proxy. > > Did you try to define a similar rule locally in /etc/sudoers to see if > the same issue happens with a local rule? That should at least confirm > or deny that the issue might be in SSSD. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and SSSD sudo
On Wed, Feb 15, 2017 at 11:04:47AM +0100, Troels Hansen wrote: > Hi there > > We have a strange problem... > > We're trying to override options in sudo rules from IPA, in this case > secure_path: > > sudo -ll reports: > > RunAsUsers: root > Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, > secure_path=/bin:/usr/bin:/usr/local/bin > Commands: > stopinst > /usr/local/bin/stopinst > /usr/local/bin/startinst > /bin/mount /rman > /usr/bin/su - root > > /usr/local/bin is also in my local path: > > $ echo $PATH > /usr/local/bin:/usr/bin:/usr/local/sbin.. > > For easyness, stopinst is currently quite simple: > > $ cat /usr/local/bin/stopinst > #!/bin/bash > echo stopinst > echo "Path: $PATH" > > I can execute the script a normal user, using full path or just the command: > $ stopinst > stopinst > Path: > /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin > > > However, trying to execute the script using sudo fails: > $ sudo stopinst > [sudo] password for drextrha: > sudo: stopinst: command not found > > Unless using full path: > $ sudo /usr/local/bin/stopinst > stopinst > Path: /bin:/usr/bin:/usr/local/bin > > Secure path in sudoers is: > # grep secure_path /etc/sudoers > Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin > > If I change the secure_path in local sudoers to include /usr/local/bin: > # grep secure_path /etc/sudoers > Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin > > I can execute the command using sudo: > > $ sudo stopinst > stopinst > Path: /bin:/usr/bin:/usr/local/bin > > S.. something gets overwritten somewhere that shouldn't??? We shouldn't rewrite anything on the SSSD side. In general, when it comes to delivering SUDO rules, SSSD should more or less just act as a proxy. Did you try to define a similar rule locally in /etc/sudoers to see if the same issue happens with a local rule? That should at least confirm or deny that the issue might be in SSSD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and SSSD sudo
Hi there We have a strange problem... We're trying to override options in sudo rules from IPA, in this case secure_path: sudo -ll reports: RunAsUsers: root Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, secure_path=/bin:/usr/bin:/usr/local/bin Commands: stopinst /usr/local/bin/stopinst /usr/local/bin/startinst /bin/mount /rman /usr/bin/su - root /usr/local/bin is also in my local path: $ echo $PATH /usr/local/bin:/usr/bin:/usr/local/sbin.. For easyness, stopinst is currently quite simple: $ cat /usr/local/bin/stopinst #!/bin/bash echo stopinst echo "Path: $PATH" I can execute the script a normal user, using full path or just the command: $ stopinst stopinst Path: /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin However, trying to execute the script using sudo fails: $ sudo stopinst [sudo] password for drextrha: sudo: stopinst: command not found Unless using full path: $ sudo /usr/local/bin/stopinst stopinst Path: /bin:/usr/bin:/usr/local/bin Secure path in sudoers is: # grep secure_path /etc/sudoers Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin If I change the secure_path in local sudoers to include /usr/local/bin: # grep secure_path /etc/sudoers Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin I can execute the command using sudo: $ sudo stopinst stopinst Path: /bin:/usr/bin:/usr/local/bin S.. something gets overwritten somewhere that shouldn't??? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
