On 07/28/2011 06:58 PM, arun scaria wrote:
>
>
> On Thu, Jul 28, 2011 at 2:10 PM, Gowrishankar Rajaiyan <g...@redhat.com
> <mailto:g...@redhat.com>> wrote:
>
> On 07/28/2011 07:22 AM, arun scaria wrote:
> > Hi all,
> > I'v created my write-up on SUDO responder/cache behavior at
> >
>
> https://fedorahosted.org/sssd/wiki/DesignDocs/SudoSupport/SudoResponderCacheBehavior.
> > I'd love to hear your opinion on it. Please take a review and
> comment.
> >
>
> One question:
> How do we plan to include "sudoOption=!authenticate" (where
> !authenticate=NOPASSWD) in a sudorule during offline?
>
> The option !authenticate is not specified anywhere in the standard sudo
> schema at http://www.gratisoft.us/sudo/man/1.8.1/sudoers.ldap.man.html.
If you use "sudoers2ldif" tool provided by the sudo package to convert
an existing /etc/sudoers file to an ldif format, the "!authenticate"
value is used.
/usr/share/doc/sudo-1.7.4p5/sudoers2ldif:
<snip>
# if NOPASSWD: directive found, mark entire entry as not requiring
s/NOPASSWD:\s*// && push @options,"!authenticate";
s/PASSWD:\s*// && push @options,"authenticate";
</snip>
> But this option is found in all the blogs and tutorials as the
> alternative to the NOPASSWD option in the sudoers file. In the current
> implementation of sudo plugin we are doing the pam authentication with
> sudo pam config file. This is done before we query the sssd for
> authentication for sudo. So that the user will be requested password
> even if the !authenticate sudoOption is enabled.
>
IMO expecting a password for a runasuser from a sudorule where
sudoOption is set to !authenticate is not an expected behaviour.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
