|
Bugzilla – Full Text Bug Listing |
| Summary: | env_* options not applied when sudoers plugin used | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Gareth Humphries <gareth.humphries> |
| Component: | Sudoers | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED MOVED | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.8.6 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
This is a bug in QPM4Sudo so you should file a bug with Dell. I'll probably end up being the one to look at it there but it needs to be tracked on the Dell side of things to be able to produce a hotfix. Thanks for the response - I've just raised a ticket with Dell ("Customer Service ticket" -> "Privilege Manager for Sudo"), SR Number:3691352.
Hopefully it finds it's way to you or someone who can take a look.
New ticket number: 3691370 Dell have confirmed SR 3691370 as an issue in the policy manager, and raised internal defect 0006549. Marking this ticket as resolved. |
When trying to restrict a user on a system using Quest centralised config (aka Dell "Privilege Manager for Sudo"), I ran into issues getting the env_reset option working - no matter what I did, the user could always sudo -E, set PATH, or perform other privileged actions. I configured a non-centralised host identically, and got expected behaviour. See below: *NON* centralised config: -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -l Matching Defaults entries for testusr on this host: log_input, log_output, env_reset, always_set_home Runas and Command-specific defaults for testusr: Defaults>imsadm targetpw Defaults>imsroot targetpw User testusr may run the following commands on this host: (root) NOPASSWD: /sbin/ifconfig eth[12]\:*, (root) /sbin/arping (root) NOPASSWD: /u01/app/em/core/[1-9][0-9].[0-9].[0-9].[0-9].[0-9]/root.sh (root) NOPASSWD: /sbin/ifconfig eth[012]\:*, (root) /sbin/arping, (root) /etc/init.d/ipplumb (root) NOPASSWD: /u01/app/grid/12.1.0.2/bin/crs_setperm (root) NOPASSWD: /u01/shared/installers/platform_build/*/*/bin/install-oracle-client.sh -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -V Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3 -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo /sbin/arping -V arping utility, iputils-sss20071127 -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -E /sbin/arping -V sudo: sorry, you are not allowed to preserve the environment -=> testusr@sudo-sample-host <=-$ Centralised config: -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -l Matching Defaults entries for testusr on this host: log_input, log_output, env_reset, always_set_home Runas and Command-specific defaults for testusr: Defaults>imsadm targetpw Defaults>imsroot targetpw User testusr may run the following commands on this host: (root) NOPASSWD: /sbin/ifconfig eth[12]\:*, /sbin/arping (root) NOPASSWD: /u01/app/em/core/[1-9][0-9].[0-9].[0-9].[0-9].[0-9]/root.sh (root) NOPASSWD: /sbin/ifconfig eth[012]\:*, (root) /sbin/arping, (root) /etc/init.d/ipplumb -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -V Sudo version 1.8.6p3 pmplugin policy_plugin 6.0.0 (040) pmplugin io_plugin 6.0.0 (040) -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo /sbin/arping -V arping utility, iputils-sss20071127 -=> testusr@sudo-sample-host <=-$ -=> testusr@sudo-sample-host <=-$ sudo -E /sbin/arping -V arping utility, iputils-sss20071127 -=> testusr@sudo-sample-host <=-$ Note the different output for the last command, with -E passed. I would expect that with that output from sudo -l, both examples should behave the same. Is there any further info you'd like me to collect?