Bug 945

Summary: sudo does not ignore expire dates even if SUDOERS_TIMED option is not set in /etc/ldap.conf
Product: Sudo Reporter: Jason Sikes <jsikes>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.24   
Hardware: PC   
OS: Linux   

Description Jason Sikes 2020-11-06 20:38:38 MST 
If SUDOERS_TIMED is NOT set in /etc/ldap.conf then NOTBEFORE and NOTAFTER should be ignored.

However, SUDOERS_TIMED seems to have no effect, and NOTBEFORE and NOTAFTER are always checked.

Analysis:

In plugins/sudoers/ldap.c when building the LDAP query, if ldap_conf.timed is set then sudoNotBefore and sudoNotAfter become part of the query parameters. This part appears to be fine.

I believe the problem is in sudoers_lookup_check() [plugins/sudoers/parse.c:139]. The times for notbefore and notafter are checked; ldap_conf.timed is not a factor in this decision.
Comment 1 Todd C. Miller 2020-11-10 09:05:25 MST 
This is fallout from the changes to convert a sudoRole to the same internal form that the sudoers file evaluation uses.  The simplest fix is to just not pass those values to sudo_ldap_role_to_priv() if SUDOERS_TIMED is not enabled.

However, it may be better to simply get rid of the SUDOERS_TIMED setting entirely along with the associated subfilter and just let the sudoers parser handle things.  The reason for making it optional was that older versions of the sudo schema didn't have those attributes.

Do you really have a use case where sudoRoles contain sudoNotBefore / sudoNotAfter and you actually want them to be ignored on the client?  That seems like a violation of the security policy which doesn't seem like a feature to me.
Comment 2 Jason Sikes 2020-11-11 23:53:58 MST 
> Do you really have a use case where sudoRoles contain sudoNotBefore / sudoNotAfter
> and you actually want them to be ignored on the client?  That seems like a violation
> of the security policy which doesn't seem like a feature to me.

We do have a customer with a complex setup that was affected by this, but I agree that going forward simply dropping the SUDOERS_TIMED setting would simplify things a bit. In my opinion, it is kind of redundant to have sudoNotBefore/sudoNotAfter AND a SUDOERS_TIMED option.
Comment 3 Todd C. Miller 2020-11-12 16:36:39 MST 
I just committed the following, which restores the pre-1.8.24 behavior:
https://www.sudo.ws/repos/sudo/rev/d1e1bb5a6cc1

I will revisit this in the future and decide whether or not to deprecate SUDOERS_TIMED in ldap.conf.
Comment 4 Todd C. Miller 2020-11-30 13:23:38 MST 
Fixed in sudo 1.9.4