Bug 1063

Summary: sudo -l does not seem to process access via LDAP after upgrade to 1.9.15
Product: Sudo Reporter: Ben Tucci <btucci1>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.9.15   
Hardware: PC   
OS: Linux   

Description Ben Tucci 2023-12-14 15:54:21 MST 
We've recently upgraded some EL 7 hosts to sudo 1.9.15 and noticed a difference in the processing of rules that allow a user to list what commands they are allowed to run. This prevents a user from listing what they are allowed to do. We use LDAP to define access. Without changes to the LDAP entry the following differences were noticed between 1.9.14p1 and 1.9.15p2. I've enabled debug logs but truncated/obscured specific info in our environment. Let me know if further logging is needed. The following is the result of running sudo -l as a user with ALL:ALL access defined in LDAP.

... old version 1.9.14p1
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=<defined container in LDAP>,ou=Directory_Integration,o=<my org>,c=us
sudo: sudo_ldap_query: ldap search user <my user>, host <old version host>
(works from here and returns properly)

... new version 1.9.15p2
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=<same defined container in LDAP>,ou=Directory_Integration,o=<my org>,c=us
Sorry, user <my user> may not run sudo on <my host on the old version>.
(stops here)
Comment 1 Ben Tucci 2023-12-14 16:02:53 MST 
Sorry about a mistake in my report, the last line should read "my host on the new version." We're looking to have list be passwordless and only noticed the change when an automated process could no longer run this command. Following is the output of -ll on the same user object on the same host.

LDAP Role: <defined ldap role>
    RunAsUsers: ALL
    Commands:
	ALL
Comment 2 Todd C. Miller 2023-12-14 17:07:20 MST 
Is it only "sudo -l" that is affected?  In other words, is the user able to run commands via sudo successfully?  There was a bug in sudo 1.9.15 that prevented sudo from reading the ldap.conf file but that was fixed in 1.9.15p1.
Comment 3 Ben Tucci 2023-12-14 17:14:06 MST 
The actual running of commands is unaffected (as in, we can run allowed commands as the user allowed to run these commands, as well as running arbitrary commands with ALL:ALL.) Only listing those commands runs into the issue; as a consuming application uses this to determine if it has the proper rights before running allowed commands before running them.
Comment 4 Todd C. Miller 2023-12-15 13:53:12 MST 
Fixed in sudo 1.9.15p4, available now.