Bugzilla – Bug 717
Referencing a netgroup with multiple triplets from sudoHost and sudoUser
Last modified: 2016-03-17 10:22:04 MDT
I'm not sure whether this is an RFE or a bug, so let me try to explain the issue. When there are multiple triplets in a netgroup LDAP entry: ------ dn: cn=role_linux_admin,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: role_linux_admin nisNetgroupTriple: (server1.example.com,user101,) nisNetgroupTriple: (server2.example.com,user201,) nisNetgroupTriple: (,user301,) ------ and we reference this netgroup from the sudoHost and sudoUser: ------ dn: cn=sudo_rule_admin,ou=sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: sudo_rule_admin description: Test commands sudoCommand: /sbin/service httpd start sudoCommand: /sbin/service httpd stop sudoCommand: /sbin/service httpd restart sudoHost: +role_linux_admin sudoOption: !authenticate sudoRunAs: ALL sudoUser: +role_linux_admin ------ then sudo will allow access for user101 or user201 to other hosts than server1 or server2. I think that the problem is in the way sudo processes the sudoHost and sudoUser netgroups: sudoHost: netgr_matches(val, user_host, user_shost, NULL) sudoUser: netgr_matches(val, NULL, NULL, handle->pw->pw_name) i.e. not using all the fields for each netgr_matches call. Is this the expected behavior? Thanks, Dan K.
Just found a similar question in the mailing list archive but without an answer: http://www.sudo.ws/pipermail/sudo-users/2010-March/004343.html The documentation references to the netgroups in sudoHost and sudoUser as "host netgroup" and "user netgroup". So, that should be read as a hint how sudo processes the netgroups, right?
Yes, sudo has always only used either the host or user part of the netgroup but not both together. This is because historically sudo keyed everything on the user name.
Hi, According to http://linux.die.net/man/5/netgroup, ( ,user, ) means all hosts and all domains. This is in contradiction to how sudo parse for netgroup. I personally think that this can be configured as a security bug, since netgroup with hosts and/or domain can be parsed anyway in sudoUser, and netgroups with users can be parsed anyway as sudoHost. Am i correct? Do you also think that this is a security bug? What do you think about it? Thanks, Daniele
Sorry, I don't agree. The netgroup API allows the caller to specify which parts of the tuple are to be matched. This is something that could be documented better for sure.
Hi Todd, do you see this issue as worth resolving as an RFE? i.e. introducing a new option to change the netgroup matching behavior?
Yes, I think that makes the most sense. Perhaps something like a netgroup_tuple option.
Just to give an update on this: I'm working on a patch for this issue, i.e. implementing the netgroup_tuple option. We are testing it currently and once I have a confirmation that it's working properly, I'll attach it here. Regards, Dan K.
Created attachment 465 [details] experimental patch
I've adapted this diff to sudo trunk: https://www.sudo.ws/repos/sudo/rev/9f694ba7c86d
(In reply to Todd C Miller from comment #9) > I've adapted this diff to sudo trunk: > https://www.sudo.ws/repos/sudo/rev/9f694ba7c86d Great, thanks!
Fixed in 1.8.16, available now.