Bugzilla – Bug 600
sudo -K && sudo id => not asking password with ldap
Last modified: 2013-09-30 09:40:23 MDT
if i understand correctly, then sudo -K should clear /var/db/sudo/$USER and it will ask for password again when next sudo is ran. however seems it does not ask. oddly enough "sudo -l" *does* ask while "sudo id" *does not*. from some testing i have identified that this is occouring when i have !tty_tickets coming from ldap: my .ldif: dn: cn=%wheel, ou=Sudo, dc=example,dc=net sudoUser: %wheel sudoRunAsUser: ALL sudoCommand: ALL sudoHost: ALL objectClass: top objectClass: sudoRole sudoOption: !tty_tickets cn: %wheel i'm being member of wheel group, so the rule applies to me: $ sudo -l User glen may run the following commands on this host: (ALL) ALL (somewhy !tty_tickets not visible in output) so, for the sake of clear test, remove sudo db with root manually. # rm -rf /var/db/sudo/* $ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for glen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) second call will not ask password: $ sudo id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sudo -k/-K have no effect (no password prompt, command just executed): $ sudo -k $ sudo id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo -K $ sudo id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo date Mon May 20 18:44:21 EEST 2013 db contents, dir timestamp matches time of last sudo command: # LC_ALL=C ls -la --full /var/db/sudo/glen/ total 0 drwx------ 2 root glen 6 2013-05-20 18:44:21.517724690 +0300 ./ drwx------ 3 root root 17 2013-05-20 18:41:43.972035660 +0300 ../ if i add the same !tty_tickets as a workaround to local static /etc/sudoers file, the -k and -K start to work as expected: # echo 'Defaults !tty_tickets' >> /etc/sudoers second test, where !tty_tickets present in local sudoers as well, this time !tty_tickets is shown: $ sudo -l Matching Defaults entries for glen on this host: !tty_tickets User glen may run the following commands on this host: (ALL) ALL ok, so clear the db and same tests # rm -rf /var/db/sudo/* $ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for glen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo -k $ sudo id [sudo] password for glen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo -K $ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for glen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo date Mon May 20 18:49:19 EEST 2013 # LC_ALL=C ls -la --full /var/db/sudo/glen/ total 0 drwx------ 2 root glen 6 2013-05-20 18:49:19.155508353 +0300 ./ drwx------ 3 root root 17 2013-05-20 18:49:14.958778938 +0300 ../ 18:50:32 root[load: 0.83]@pythia ~#
Please include the sudo version and the Linux distro and version.
pld linux (th) sudo-1.7.9p1-1.x86_64 sudo-1.8.6p8-1.x86_64
./configure options can be seen from sudo.spec: http://git.pld-linux.org/?p=packages/sudo.git;a=tree
So with *no* /etc/sudoers file and only data in LDAP you see the problem but with an /etc/sudoers file that *only* contains: Defaults !tty_tickets it works as expected? I suspect the problem is simply that "sudo -k / -K" only looks at the global defaults since no command was actually run. An LDAP-only workaround would be to add: dn: cn=defaults, ou=Sudo, dc=example,dc=net objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: !tty_tickets to your ldif. Ie: make the !tty_tickets a global setting and not a per-command setting.
> So with *no* /etc/sudoers file and only data in LDAP you see the > problem but with an /etc/sudoers file that *only* contains: > > Defaults !tty_tickets > > it works as expected? exactly! $ sudo id sudo: unable to stat /etc/sudoers: No such file or directory uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo -k sudo: unable to stat /etc/sudoers: No such file or directory $ sudo id sudo: unable to stat /etc/sudoers: No such file or directory uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > I suspect the problem is simply that "sudo -k / -K" only looks at the > global defaults since no command was actually run. An LDAP-only > workaround would be to add: > dn: cn=defaults, ou=Sudo, dc=example,dc=net > objectClass: top > objectClass: sudoRole > cn: defaults > description: Default sudoOption's go here > sudoOption: !tty_tickets yes, that made the trick: $ sudo id sudo: unable to stat /etc/sudoers: No such file or directory uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ sudo -k sudo: unable to stat /etc/sudoers: No such file or directory $ sudo id sudo: unable to stat /etc/sudoers: No such file or directory [sudo] password for glen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) $ so, this is something expected, or there really is a bug?
I can understand how it is confusing but I don't think it is realy a bug.