Bugzilla – Bug 436
sudo -l doesn't works properly when sudoers is set from LDAP
Last modified: 2010-09-14 16:27:25 MDT
Created attachment 290 [details] output of sudo -l with sudoers_debug=2 Hi all, after having configured sudo in order to retrieve sudoers from LDAP, the command "sudo -l" for 1.7.3 version doesn't show the proper defaults & commands. If I give the command as root: athena ~ # sudo -l Runas and Command-specific defaults for root: User root may run the following commands on this host: (ALL) ALL (ALL) NOPASSWD: ALL The output doesn't show the defaults. The same command for any other user: gentoo@athena ~ $ sudo -l Runas and Command-specific defaults for gentoo: The output doesn't show anything. Attached there are also the output of the same commands with sudoers_debug=2 from which results that the command correctly match the results from the LDAP querys without showing the results. If I switch back to 1.7.2 version (same nss and ldap.conf config) everything works properly. athena ~ # sudo -l Runas and Command-specific defaults for root: ignore_local_sudoers User root may run the following commands on this host: (ALL) ALL (ALL) NOPASSWD: ALL gentoo@athena ~ $ sudo -l Runas and Command-specific defaults for gentoo: ignore_local_sudoers User gentoo may run the following commands on this host: (ALL) NOPASSWD: ALL Best regards Giampiero
I don't see an obvious bug in there. Can you see if "sudo -ll" has the same problem?
(In reply to comment #1) > I don't see an obvious bug in there. Can you see if "sudo -ll" has the same > problem? gentoo@athena ~ $ sudo -l Runas and Command-specific defaults for gentoo: gentoo@athena ~ $ sudo -ll Runas and Command-specific defaults for gentoo: nothing appears ... while with sudo 1.7.2_p7: gentoo@athena ~ $ sudo -l Runas and Command-specific defaults for gentoo: ignore_local_sudoers User gentoo may run the following commands on this host: (ALL) NOPASSWD: ALL gentoo@athena ~ $ sudo -ll Runas and Command-specific defaults for gentoo: ignore_local_sudoers User gentoo may run the following commands on this host: LDAP Role: full_admin RunAsUsers: ALL Options: !authenticate Commands: ALL Bye Giampiero
Created attachment 291 [details] Patch to fix display function return value on error Can you try the attached list.patch and see if it changes things?
(In reply to comment #3) > Created attachment 291 [details] > Patch to fix display function return value on error > > Can you try the attached list.patch and see if it changes things? Hi, it seems to solve the problem: gentoo@athena ~/src/sudo-1.7.3 $ /usr/local/bin/sudo -l Matching Defaults entries for gentoo on this host: ignore_local_sudoers User gentoo may run the following commands on this host: (ALL) NOPASSWD: ALL gentoo@athena ~/src/sudo-1.7.3 $ /usr/local/bin/sudo -ll Matching Defaults entries for gentoo on this host: ignore_local_sudoers User gentoo may run the following commands on this host: LDAP Role: full_admin RunAsUsers: ALL Options: !authenticate Commands: ALL athena sudo-1.7.3 # /usr/local/bin/sudo -l Matching Defaults entries for root on this host: ignore_local_sudoers User root may run the following commands on this host: (ALL) ALL (ALL) NOPASSWD: ALL athena sudo-1.7.3 # /usr/local/bin/sudo -ll Matching Defaults entries for root on this host: ignore_local_sudoers User root may run the following commands on this host: LDAP Role: root RunAsUsers: ALL Commands: ALL LDAP Role: full_admin RunAsUsers: ALL Options: !authenticate Commands: ALL thanks! Giampiero
Hi will the patch be included in the next release? regards Giampiero
The fix is present in sudo 1.7.4p4, which is out now.