Bug 1063 – sudo -l does not seem to process access via LDAP after upgrade to 1.9.15

Bug 1063 - sudo -l does not seem to process access via LDAP after upgrade to 1.9.15


Summary:	sudo -l does not seem to process access via LDAP after upgrade to 1.9.15

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.9.15
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-12-14 15:54 MST by Ben Tucci
Modified:	2023-12-15 13:53 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ben Tucci 2023-12-14 15:54:21 MST

We've recently upgraded some EL 7 hosts to sudo 1.9.15 and noticed a difference in the processing of rules that allow a user to list what commands they are allowed to run. This prevents a user from listing what they are allowed to do. We use LDAP to define access. Without changes to the LDAP entry the following differences were noticed between 1.9.14p1 and 1.9.15p2. I've enabled debug logs but truncated/obscured specific info in our environment. Let me know if further logging is needed. The following is the result of running sudo -l as a user with ALL:ALL access defined in LDAP.

... old version 1.9.14p1
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=<defined container in LDAP>,ou=Directory_Integration,o=<my org>,c=us
sudo: sudo_ldap_query: ldap search user <my user>, host <old version host>
(works from here and returns properly)

... new version 1.9.15p2
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=<same defined container in LDAP>,ou=Directory_Integration,o=<my org>,c=us
Sorry, user <my user> may not run sudo on <my host on the old version>.
(stops here)

Comment 1 Ben Tucci 2023-12-14 16:02:53 MST

Sorry about a mistake in my report, the last line should read "my host on the new version." We're looking to have list be passwordless and only noticed the change when an automated process could no longer run this command. Following is the output of -ll on the same user object on the same host.

LDAP Role: <defined ldap role>
    RunAsUsers: ALL
    Commands:
	ALL

Comment 2 Todd C. Miller 2023-12-14 17:07:20 MST

Is it only "sudo -l" that is affected?  In other words, is the user able to run commands via sudo successfully?  There was a bug in sudo 1.9.15 that prevented sudo from reading the ldap.conf file but that was fixed in 1.9.15p1.

Comment 3 Ben Tucci 2023-12-14 17:14:06 MST

The actual running of commands is unaffected (as in, we can run allowed commands as the user allowed to run these commands, as well as running arbitrary commands with ALL:ALL.) Only listing those commands runs into the issue; as a consuming application uses this to determine if it has the proper rights before running allowed commands before running them.

Comment 4 Todd C. Miller 2023-12-15 13:53:12 MST

Fixed in sudo 1.9.15p4, available now.