Re: [Freeipa-users] Sudo rule processing order
Ok, that's up to your preference. The hotfix below worked for me in my test environment and is pretty low risk. But of course, it is not "RHEL rubber stamped". Eventually, you can evaluate the fix yourself in a test environment. HTH, Martin On 01/13/2014 02:41 PM, Fred van Zwieten wrote: > Martin, > > Sorry for the late reply. > > Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA. > This is part of a production environment consisting solely of supported > RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able > to roll back in case of trouble, but I am not sure such a change is > "supported". > > Fred > > > On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek wrote: > >> Ah, I think I found the root cause. Our sudoers compat tree configuration >> missed out the sudoOrder attribute. The order was thus missing in LDAP >> sudoers >> and thus ineffective. I filed an upstream ticket to fix it: >> https://fedorahosted.org/freeipa/ticket/4107 >> >> However, to hotfix it in your environment, could you try manually fixing >> the >> configuration on your FreeIPA server? >> >> $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: sudoOrder=%{sudoOrder} >> >> >> This should do the trick. >> >> Martin >> >> On 01/10/2014 05:17 PM, Martin Kosek wrote: >>> On 01/10/2014 04:52 PM, Fred van Zwieten wrote: Yes, you would expect that to help, wouldn't you :-) >>> >>> Yes, I would :-) >>> Didn't even know this existed. Thanks for that. User has 3 sudo rules. I have set the allow_all rule to 1, the second >> rule to 2 and the cobbler (with the "!authenticate" option) rule to 99: >>> >>> What is the version of the SUDO on your system? According to >>> http://www.sudo.ws/sudoers.ldap.man.html >>> it was implemented in SUDO 1.7.5. >>> >>> Martin >>> User may run the following commands on this host: (root) ALL (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, >> /bin/more, /usr/bin/less, !/bin/su (root) NOPASSWD: /usr/bin/cobbler (root) !/bin/su Nope. Didn't help. Fred On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek >> wrote: > On 01/10/2014 11:52 AM, Fred van Zwieten wrote: >> Hi, >> >> I have a sudo rule in IPA that has the !authenticate option added to > enable >> admins to execute certain programs as root without authentication. >> >> It doesn't work. There is another rule for the admins that allow all >> commands as long as they give their password. >> >> In a sudoers file, you can solve this by specifing the nopasswd rule >> as >> last. >> >> sudo -l from an IPA-client gives me this: >> >> ***@svr001 ~]$ sudo -l >> Matching Defaults entries for *** on this host: >> requiretty, !visiblepw, always_set_home, env_reset, >> env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", >> env_keep+="MAIL > PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", >> env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", >> env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME >> LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User may run the following commands on this host: >> (root) NOPASSWD: ALL >> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > /bin/more, >> /usr/bin/less, !/bin/su >> (root) NOPASSWD: /usr/bin/cobbler >> (root) !/bin/su >> >> I want the cobbler command to run without password authentication. >> What > am >> I doing wrong? >> > > Would setting SUDO rule order help? > > # ipa sudorule-mod -h > ... > --order=INT integer to order the Sudo rules > ... > > Martin > > >>> >> >> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule processing order
Martin, Sorry for the late reply. Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA. This is part of a production environment consisting solely of supported RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able to roll back in case of trouble, but I am not sure such a change is "supported". Fred On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek wrote: > Ah, I think I found the root cause. Our sudoers compat tree configuration > missed out the sudoOrder attribute. The order was thus missing in LDAP > sudoers > and thus ineffective. I filed an upstream ticket to fix it: > https://fedorahosted.org/freeipa/ticket/4107 > > However, to hotfix it in your environment, could you try manually fixing > the > configuration on your FreeIPA server? > > $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > > This should do the trick. > > Martin > > On 01/10/2014 05:17 PM, Martin Kosek wrote: > > On 01/10/2014 04:52 PM, Fred van Zwieten wrote: > >> Yes, you would expect that to help, wouldn't you :-) > > > > Yes, I would :-) > > > >> > >> Didn't even know this existed. Thanks for that. > >> > >> User has 3 sudo rules. I have set the allow_all rule to 1, the second > rule > >> to 2 and the cobbler (with the "!authenticate" option) rule to 99: > > > > What is the version of the SUDO on your system? According to > > http://www.sudo.ws/sudoers.ldap.man.html > > it was implemented in SUDO 1.7.5. > > > > Martin > > > >> > >> User may run the following commands on this host: > >> (root) ALL > >> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > /bin/more, > >> /usr/bin/less, !/bin/su > >> (root) NOPASSWD: /usr/bin/cobbler > >> (root) !/bin/su > >> > >> Nope. Didn't help. > >> > >> Fred > >> > >> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek > wrote: > >> > >>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote: > Hi, > > I have a sudo rule in IPA that has the !authenticate option added to > >>> enable > admins to execute certain programs as root without authentication. > > It doesn't work. There is another rule for the admins that allow all > commands as long as they give their password. > > In a sudoers file, you can solve this by specifing the nopasswd rule > as > last. > > sudo -l from an IPA-client gives me this: > > ***@svr001 ~]$ sudo -l > Matching Defaults entries for *** on this host: > requiretty, !visiblepw, always_set_home, env_reset, > env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", > env_keep+="MAIL > >>> PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", > env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", > env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME > LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User may run the following commands on this host: > (root) NOPASSWD: ALL > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > >>> /bin/more, > /usr/bin/less, !/bin/su > (root) NOPASSWD: /usr/bin/cobbler > (root) !/bin/su > > I want the cobbler command to run without password authentication. > What > >>> am > I doing wrong? > > >>> > >>> Would setting SUDO rule order help? > >>> > >>> # ipa sudorule-mod -h > >>> ... > >>> --order=INT integer to order the Sudo rules > >>> ... > >>> > >>> Martin > >>> > >>> > >> > > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule processing order
Ah, I think I found the root cause. Our sudoers compat tree configuration missed out the sudoOrder attribute. The order was thus missing in LDAP sudoers and thus ineffective. I filed an upstream ticket to fix it: https://fedorahosted.org/freeipa/ticket/4107 However, to hotfix it in your environment, could you try manually fixing the configuration on your FreeIPA server? $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: sudoOrder=%{sudoOrder} This should do the trick. Martin On 01/10/2014 05:17 PM, Martin Kosek wrote: > On 01/10/2014 04:52 PM, Fred van Zwieten wrote: >> Yes, you would expect that to help, wouldn't you :-) > > Yes, I would :-) > >> >> Didn't even know this existed. Thanks for that. >> >> User has 3 sudo rules. I have set the allow_all rule to 1, the second rule >> to 2 and the cobbler (with the "!authenticate" option) rule to 99: > > What is the version of the SUDO on your system? According to > http://www.sudo.ws/sudoers.ldap.man.html > it was implemented in SUDO 1.7.5. > > Martin > >> >> User may run the following commands on this host: >> (root) ALL >> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, >> /usr/bin/less, !/bin/su >> (root) NOPASSWD: /usr/bin/cobbler >> (root) !/bin/su >> >> Nope. Didn't help. >> >> Fred >> >> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek wrote: >> >>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote: Hi, I have a sudo rule in IPA that has the !authenticate option added to >>> enable admins to execute certain programs as root without authentication. It doesn't work. There is another rule for the admins that allow all commands as long as they give their password. In a sudoers file, you can solve this by specifing the nopasswd rule as last. sudo -l from an IPA-client gives me this: ***@svr001 ~]$ sudo -l Matching Defaults entries for *** on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL >>> PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may run the following commands on this host: (root) NOPASSWD: ALL (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, >>> /bin/more, /usr/bin/less, !/bin/su (root) NOPASSWD: /usr/bin/cobbler (root) !/bin/su I want the cobbler command to run without password authentication. What >>> am I doing wrong? >>> >>> Would setting SUDO rule order help? >>> >>> # ipa sudorule-mod -h >>> ... >>> --order=INT integer to order the Sudo rules >>> ... >>> >>> Martin >>> >>> >> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule processing order
On 01/10/2014 04:52 PM, Fred van Zwieten wrote: > Yes, you would expect that to help, wouldn't you :-) Yes, I would :-) > > Didn't even know this existed. Thanks for that. > > User has 3 sudo rules. I have set the allow_all rule to 1, the second rule > to 2 and the cobbler (with the "!authenticate" option) rule to 99: What is the version of the SUDO on your system? According to http://www.sudo.ws/sudoers.ldap.man.html it was implemented in SUDO 1.7.5. Martin > > User may run the following commands on this host: > (root) ALL > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, > /usr/bin/less, !/bin/su > (root) NOPASSWD: /usr/bin/cobbler > (root) !/bin/su > > Nope. Didn't help. > > Fred > > On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek wrote: > >> On 01/10/2014 11:52 AM, Fred van Zwieten wrote: >>> Hi, >>> >>> I have a sudo rule in IPA that has the !authenticate option added to >> enable >>> admins to execute certain programs as root without authentication. >>> >>> It doesn't work. There is another rule for the admins that allow all >>> commands as long as they give their password. >>> >>> In a sudoers file, you can solve this by specifing the nopasswd rule as >>> last. >>> >>> sudo -l from an IPA-client gives me this: >>> >>> ***@svr001 ~]$ sudo -l >>> Matching Defaults entries for *** on this host: >>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL >> PS1 >>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User may run the following commands on this host: >>> (root) NOPASSWD: ALL >>> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, >> /bin/more, >>> /usr/bin/less, !/bin/su >>> (root) NOPASSWD: /usr/bin/cobbler >>> (root) !/bin/su >>> >>> I want the cobbler command to run without password authentication. What >> am >>> I doing wrong? >>> >> >> Would setting SUDO rule order help? >> >> # ipa sudorule-mod -h >> ... >> --order=INT integer to order the Sudo rules >> ... >> >> Martin >> >> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule processing order
Yes, you would expect that to help, wouldn't you :-) Didn't even know this existed. Thanks for that. User has 3 sudo rules. I have set the allow_all rule to 1, the second rule to 2 and the cobbler (with the "!authenticate" option) rule to 99: User may run the following commands on this host: (root) ALL (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, /usr/bin/less, !/bin/su (root) NOPASSWD: /usr/bin/cobbler (root) !/bin/su Nope. Didn't help. Fred On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek wrote: > On 01/10/2014 11:52 AM, Fred van Zwieten wrote: > > Hi, > > > > I have a sudo rule in IPA that has the !authenticate option added to > enable > > admins to execute certain programs as root without authentication. > > > > It doesn't work. There is another rule for the admins that allow all > > commands as long as they give their password. > > > > In a sudoers file, you can solve this by specifing the nopasswd rule as > > last. > > > > sudo -l from an IPA-client gives me this: > > > > ***@svr001 ~]$ sudo -l > > Matching Defaults entries for *** on this host: > > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL > PS1 > > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > > > User may run the following commands on this host: > > (root) NOPASSWD: ALL > > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, > /bin/more, > > /usr/bin/less, !/bin/su > > (root) NOPASSWD: /usr/bin/cobbler > > (root) !/bin/su > > > > I want the cobbler command to run without password authentication. What > am > > I doing wrong? > > > > Would setting SUDO rule order help? > > # ipa sudorule-mod -h > ... > --order=INT integer to order the Sudo rules > ... > > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo rule processing order
On 01/10/2014 11:52 AM, Fred van Zwieten wrote: > Hi, > > I have a sudo rule in IPA that has the !authenticate option added to enable > admins to execute certain programs as root without authentication. > > It doesn't work. There is another rule for the admins that allow all > commands as long as they give their password. > > In a sudoers file, you can solve this by specifing the nopasswd rule as > last. > > sudo -l from an IPA-client gives me this: > > ***@svr001 ~]$ sudo -l > Matching Defaults entries for *** on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User may run the following commands on this host: > (root) NOPASSWD: ALL > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, > /usr/bin/less, !/bin/su > (root) NOPASSWD: /usr/bin/cobbler > (root) !/bin/su > > I want the cobbler command to run without password authentication. What am > I doing wrong? > Would setting SUDO rule order help? # ipa sudorule-mod -h ... --order=INT integer to order the Sudo rules ... Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo rule processing order
Hi, I have a sudo rule in IPA that has the !authenticate option added to enable admins to execute certain programs as root without authentication. It doesn't work. There is another rule for the admins that allow all commands as long as they give their password. In a sudoers file, you can solve this by specifing the nopasswd rule as last. sudo -l from an IPA-client gives me this: ***@svr001 ~]$ sudo -l Matching Defaults entries for *** on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may run the following commands on this host: (root) NOPASSWD: ALL (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, /usr/bin/less, !/bin/su (root) NOPASSWD: /usr/bin/cobbler (root) !/bin/su I want the cobbler command to run without password authentication. What am I doing wrong? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users