From stefan.maass at syniverse.com Mon Nov 7 11:52:37 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Mon, 7 Nov 2016 10:52:37 +0000 Subject: issue with sudo_ldap Message-ID: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> Hi Dagobert, It looks like we ran into a new issue and I hope you are the right person to contact. At least I can see that the package (I think) is involved has been packaged by you. I have recently done an upgrade of a few packages including sudo and sudo_ldap on a few nodes. The former versions were as follows: CSWsudo ? VERSION: 1.8.16,REV=2016.03.18 CSWsudo-ldap ? VERSION: 1.8.16,REV=2016.03.18 The new versions are: CSWsudo ? VERSION: 1.8.18,REV=2016.09.21 CSWsudo-ldap ? VERSION: 1.8.18,REV=2016.09.21 Interestingly on the servers with the older version and also on the servers with the newer version the command /opt/csw/bin/pkgutil --version CSWsudo-ldap shows 2.6.7. So it looks like it is in fact the same package. The issue that we have is that since I have upgraded the sudo packages LDAP users are not able anymore to use sudo as it seems that the information from the LDAP server is not received. This example output is from a server where sudo works: pts/23|root at fr4u-gen-chs-app001:/root# sudo su - g701806 sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() Oracle Corporation SunOS 5.10 Generic Patch January 2005 LOGIN NAME: g701806 ORACLE DATABASE: chdev Clearing House profile executed. development environment for server fr4u-gen-chs-app001 set! fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() Oracle Corporation SunOS 5.10 Generic Patch January 2005 pts/23|root at fr4u-gen-chs-app001:/root# ^D fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() Matching Defaults entries for g701806 on fr4u-gen-chs-app001: loglinelen=0, logfile=/var/adm/sudolog, ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, !syslog, timestamp_timeout=10, !authenticate User g701806 may run the following commands on fr4u-gen-chs-app001: (root) ALL This example output is from a server where sudo does not work: pts/5|root at fr4u-gen-chs-app002:/var/log# sudo su - g701806 sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() Oracle Corporation SunOS 5.10 Generic Patch January 2005 LOGIN NAME: g701806 ORACLE DATABASE: chdev Clearing House profile executed. development environment for server fr4u-gen-chs-app002 set! fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() g701806 is not allowed to run sudo on fr4u-gen-chs-app002. This incident will be reported. fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() Sorry, user g701806 may not run sudo on fr4u-gen-chs-app002. I am not sure if this output helps, but I have added a line to sudo.conf to debug sudo. So here is what appears in the sudo_debug log when I execute the command "sudo su -" on the server where sudo works: Nov 7 11:13:42 sudo[535884] settings: progname=sudo Nov 7 11:13:42 sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 11:13:42 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 11:13:43 sudo[535884] policy plugin returns 1 Nov 7 11:13:43 sudo[535884] settings: progname=sudo Nov 7 11:13:43 sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 11:13:43 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 11:13:43 sudo[535884] command info from plugin: Nov 7 11:13:43 sudo[535884] 0: command=/usr/bin/su Nov 7 11:13:43 sudo[535884] 1: runas_uid=0 Nov 7 11:13:43 sudo[535884] 2: runas_gid=0 Nov 7 11:13:43 sudo[535884] 3: runas_groups=0,1,2,3,4,5,6,7,8,9,12 Nov 7 11:13:43 sudo[535884] 4: closefrom=3 Nov 7 11:13:43 sudo[535884] 5: set_utmp=true Nov 7 11:13:43 sudo[535884] 6: umask=022 Nov 7 11:13:43 sudo[535884] executed /usr/bin/su, pid 535901 Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44628 to base 4b4d0 Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44668 to base 4b4d0 Nov 7 11:13:43 sudo[535884] signal pipe fd 7 Nov 7 11:13:43 sudo[535884] backchannel fd 9 Nov 7 11:13:43 sudo[535901] exec /usr/bin/su [su -] Nov 7 11:13:43 sudo[535884] sudo_ev_scan_impl: 1 fds ready Nov 7 11:13:43 sudo[535884] failed to read child status: EOF Nov 7 11:13:43 sudo[535884] sudo_ev_del_v1: removing event 44668 from base 4b4d0 And here is the output from the server where sudo does not work: Nov 7 11:12:02 sudo[152587] will restore signal 13 on exec Nov 7 11:12:02 sudo[152587] settings: progname=sudo Nov 7 11:12:02 sudo[152587] settings: network_addrs=10.161.120.147/255.255.254.0 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 11:12:02 sudo[152587] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 11:12:02 sudo[152587] policy plugin returns 0 Thanks and Regards, ................................................................................................................... Dipl.-Ing. Stefan Maa? | System Support UNIX/DB +49 (6142) 7383 574 office | +49 (6142) 7383 33 574 fax Syniverse Technologies GmbH | Eisenstra?e 9b, 65428 D-R?sselsheim stefan.maass at syniverse.com | www.syniverse.com ................................................................................................................... Find Syniverse on Facebook | Follow Syniverse on Twitter Syniverse Technologies GmbH, Eisenstr. 9b, D-65428 R?sselsheim Gesch?ftsf?hrung: Dr. Guido Rei?ner, Laura E. Binion, Bob Francis Reich, Thomas P.Ford Amtsgericht Darmstadt, HRB 84288 USt-ID: DE814572551 The information in this email and in any attachments is confidential and intended solely for the attention and use of the named addressee(s). This information may be subject to legal, professional or other privilege or may otherwise be protected by work product immunity or other legal rules. It must not be disclosed to any person without our authority. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. Please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dam at opencsw.org Mon Nov 7 13:09:34 2016 From: dam at opencsw.org (Dagobert Michelsen) Date: Mon, 7 Nov 2016 13:09:34 +0100 Subject: issue with sudo_ldap In-Reply-To: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> Message-ID: Hi Stefan, Am 07.11.2016 um 11:52 schrieb Stefan Maass : > It looks like we ran into a new issue and I hope you are the right person to contact. At least I can see that the package (I think) is involved has been packaged by you. > > I have recently done an upgrade of a few packages including sudo and sudo_ldap on a few nodes. The former versions were as follows: > > CSWsudo ? VERSION: 1.8.16,REV=2016.03.18 > CSWsudo-ldap ? VERSION: 1.8.16,REV=2016.03.18 > > The new versions are: > > CSWsudo ? VERSION: 1.8.18,REV=2016.09.21 > CSWsudo-ldap ? VERSION: 1.8.18,REV=2016.09.21 > > Interestingly on the servers with the older version and also on the servers with the newer version the command /opt/csw/bin/pkgutil --version CSWsudo-ldap shows 2.6.7. So it looks like it is in fact the same package. pkgutil ?version shows the version of pkgutil. Try > dam at unstable10s [unstable10s]:/home/dam > pkgutil -c sudo sudo_ldap > You're not root and didn't set -W, using home dir. > => Fetching new catalog and descriptions (file:///export/mirror/opencsw-official/unstable/sparc/5.10) if available ... > ==> 3948 packages loaded from /home/dam/.pkgutil/catalog._export_mirror_opencsw-official_unstable_sparc_5.10 > package installed catalog > CSWsudo 1.8.18p1,REV=2016.10.28 SAME > The issue that we have is that since I have upgraded the sudo packages LDAP users are not able anymore to use sudo as it seems that the information from the LDAP server is not received. > > This example output is from a server where sudo works: > > pts/23|root at fr4u-gen-chs-app001:/root# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app001 set! > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > pts/23|root at fr4u-gen-chs-app001:/root# ^D > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Matching Defaults entries for g701806 on fr4u-gen-chs-app001: > loglinelen=0, logfile=/var/adm/sudolog, ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, !syslog, > timestamp_timeout=10, !authenticate > > User g701806 may run the following commands on fr4u-gen-chs-app001: > (root) ALL > > This example output is from a server where sudo does not work: > > pts/5|root at fr4u-gen-chs-app002:/var/log# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app002 set! > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > g701806 is not allowed to run sudo on fr4u-gen-chs-app002. This incident will be reported. > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Sorry, user g701806 may not run sudo on fr4u-gen-chs-app002. > > I am not sure if this output helps, but I have added a line to sudo.conf to debug sudo. So here is what appears in the sudo_debug log when I execute the command ?sudo su ?? on the server where sudo works: > > Nov 7 11:13:42 sudo[535884] settings: progname=sudo > Nov 7 11:13:42 sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 > Nov 7 11:13:42 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ > Nov 7 11:13:43 sudo[535884] policy plugin returns 1 > Nov 7 11:13:43 sudo[535884] settings: progname=sudo > Nov 7 11:13:43 sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 > Nov 7 11:13:43 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ > Nov 7 11:13:43 sudo[535884] command info from plugin: > Nov 7 11:13:43 sudo[535884] 0: command=/usr/bin/su > Nov 7 11:13:43 sudo[535884] 1: runas_uid=0 > Nov 7 11:13:43 sudo[535884] 2: runas_gid=0 > Nov 7 11:13:43 sudo[535884] 3: runas_groups=0,1,2,3,4,5,6,7,8,9,12 > Nov 7 11:13:43 sudo[535884] 4: closefrom=3 > Nov 7 11:13:43 sudo[535884] 5: set_utmp=true > Nov 7 11:13:43 sudo[535884] 6: umask=022 > Nov 7 11:13:43 sudo[535884] executed /usr/bin/su, pid 535901 > Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44628 to base 4b4d0 > Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44668 to base 4b4d0 > Nov 7 11:13:43 sudo[535884] signal pipe fd 7 > Nov 7 11:13:43 sudo[535884] backchannel fd 9 > Nov 7 11:13:43 sudo[535901] exec /usr/bin/su [su -] > Nov 7 11:13:43 sudo[535884] sudo_ev_scan_impl: 1 fds ready > Nov 7 11:13:43 sudo[535884] failed to read child status: EOF > Nov 7 11:13:43 sudo[535884] sudo_ev_del_v1: removing event 44668 from base 4b4d0 > > And here is the output from the server where sudo does not work: > > Nov 7 11:12:02 sudo[152587] will restore signal 13 on exec > Nov 7 11:12:02 sudo[152587] settings: progname=sudo > Nov 7 11:12:02 sudo[152587] settings: network_addrs=10.161.120.147/255.255.254.0 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 > Nov 7 11:12:02 sudo[152587] settings: plugin_dir=/opt/csw/libexec/sudo/ > Nov 7 11:12:02 sudo[152587] policy plugin returns 0 Maybe a look in the Changelog helps: https://www.sudo.ws/changes.html * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix matching when no sudoRunAsUser is present in a sudoRole. If only a sudoRunAsGroup is present, match on the invoking user if the -g option was specified and the group matched. If no sudoRunAsGroup is present and the -g option was specified, allow it if it matches the passwd gid of the runas user. This matches the behavior of the sudoers backend. [e1a52c34da5e] There are also a few other changes, I suggest you take a look and make sure you didn?t hit one of these before digging in further. You may also wanto to cc: sudo-users@: https://www.sudo.ws/mailman/listinfo/sudo-users Best regards ? Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stefan.maass at syniverse.com Mon Nov 7 14:56:39 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Mon, 7 Nov 2016 13:56:39 +0000 Subject: AW: issue with sudo_ldap In-Reply-To: References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> Message-ID: <692ADCA484924641B07B865E8150815554A413EF@AMSMBX01.ad.syniverse.com> Hi Dagobert, Thanks for your reply! I had seen the entry in the change log that you have mentioned below and I have tried using the -g switch as well, but it did not change anything. It just added one line into the output of the debug log other than that it does nothing and I am still not allowed to sudo as I was in the former sudo version. Nov 7 13:37:36 sudo[158099] will restore signal 13 on exec Nov 7 13:37:36 sudo[158099] settings: runas_group=global_sysadmin Nov 7 13:37:36 sudo[158099] settings: progname=sudo Nov 7 13:37:36 sudo[158099] settings: network_addrs=10.161.120.147/255.255.254.0 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 13:37:36 sudo[158099] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 13:37:36 sudo[158099] policy plugin returns 0 It looks like it does not find the policy in LDAP that matches the right to switch user. The other changes that have been done in regards of LDAP don't say much to me for now so I am not sure if they could be responsible for what I am facing. Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Dagobert Michelsen [mailto:dam at opencsw.org] Gesendet: Montag, 7. November 2016 13:10 An: Stefan Maass Cc: users at lists.opencsw.org Betreff: Re: issue with sudo_ldap Hi Stefan, Am 07.11.2016 um 11:52 schrieb Stefan Maass : > It looks like we ran into a new issue and I hope you are the right person to contact. At least I can see that the package (I think) is involved has been packaged by you. > > I have recently done an upgrade of a few packages including sudo and sudo_ldap on a few nodes. The former versions were as follows: > > CSWsudo ? VERSION: 1.8.16,REV=2016.03.18 > CSWsudo-ldap ? VERSION: 1.8.16,REV=2016.03.18 > > The new versions are: > > CSWsudo ? VERSION: 1.8.18,REV=2016.09.21 > CSWsudo-ldap ? VERSION: 1.8.18,REV=2016.09.21 > > Interestingly on the servers with the older version and also on the servers with the newer version the command /opt/csw/bin/pkgutil --version CSWsudo-ldap shows 2.6.7. So it looks like it is in fact the same package. pkgutil ?version shows the version of pkgutil. Try > dam at unstable10s [unstable10s]:/home/dam > pkgutil -c sudo sudo_ldap > You're not root and didn't set -W, using home dir. > => Fetching new catalog and descriptions (file:///export/mirror/opencsw-official/unstable/sparc/5.10) if available ... > ==> 3948 packages loaded from /home/dam/.pkgutil/catalog._export_mirror_opencsw-official_unstable_sparc_5.10 > package installed catalog > CSWsudo 1.8.18p1,REV=2016.10.28 SAME > The issue that we have is that since I have upgraded the sudo packages LDAP users are not able anymore to use sudo as it seems that the information from the LDAP server is not received. > > This example output is from a server where sudo works: > > pts/23|root at fr4u-gen-chs-app001:/root# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app001 set! > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > pts/23|root at fr4u-gen-chs-app001:/root# ^D > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() Matching Defaults entries for g701806 on fr4u-gen-chs-app001: > loglinelen=0, logfile=/var/adm/sudolog, ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, !syslog, > timestamp_timeout=10, !authenticate > > User g701806 may run the following commands on fr4u-gen-chs-app001: > (root) ALL > > This example output is from a server where sudo does not work: > > pts/5|root at fr4u-gen-chs-app002:/var/log# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app002 set! > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() > g701806 is not allowed to run sudo on fr4u-gen-chs-app002. This incident will be reported. > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() Sorry, user g701806 may not run sudo on fr4u-gen-chs-app002. > > I am not sure if this output helps, but I have added a line to sudo.conf to debug sudo. So here is what appears in the sudo_debug log when I execute the command ?sudo su ?? on the server where sudo works: > > Nov 7 11:13:42 sudo[535884] settings: progname=sudo Nov 7 11:13:42 > sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 > 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 > 11:13:42 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov > 7 11:13:43 sudo[535884] policy plugin returns 1 Nov 7 11:13:43 > sudo[535884] settings: progname=sudo Nov 7 11:13:43 sudo[535884] > settings: network_addrs=10.161.120.146/255.255.254.0 > 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 11:13:43 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 11:13:43 sudo[535884] command info from plugin: > Nov 7 11:13:43 sudo[535884] 0: command=/usr/bin/su > Nov 7 11:13:43 sudo[535884] 1: runas_uid=0 > Nov 7 11:13:43 sudo[535884] 2: runas_gid=0 > Nov 7 11:13:43 sudo[535884] 3: runas_groups=0,1,2,3,4,5,6,7,8,9,12 > Nov 7 11:13:43 sudo[535884] 4: closefrom=3 > Nov 7 11:13:43 sudo[535884] 5: set_utmp=true > Nov 7 11:13:43 sudo[535884] 6: umask=022 > Nov 7 11:13:43 sudo[535884] executed /usr/bin/su, pid 535901 Nov 7 > 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44628 to base 4b4d0 > Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44668 to > base 4b4d0 Nov 7 11:13:43 sudo[535884] signal pipe fd 7 Nov 7 > 11:13:43 sudo[535884] backchannel fd 9 Nov 7 11:13:43 sudo[535901] > exec /usr/bin/su [su -] Nov 7 11:13:43 sudo[535884] > sudo_ev_scan_impl: 1 fds ready Nov 7 11:13:43 sudo[535884] failed to > read child status: EOF Nov 7 11:13:43 sudo[535884] sudo_ev_del_v1: > removing event 44668 from base 4b4d0 > > And here is the output from the server where sudo does not work: > > Nov 7 11:12:02 sudo[152587] will restore signal 13 on exec Nov 7 > 11:12:02 sudo[152587] settings: progname=sudo Nov 7 11:12:02 > sudo[152587] settings: network_addrs=10.161.120.147/255.255.254.0 > 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 > 11:12:02 sudo[152587] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov > 7 11:12:02 sudo[152587] policy plugin returns 0 Maybe a look in the Changelog helps: https://www.sudo.ws/changes.html * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix matching when no sudoRunAsUser is present in a sudoRole. If only a sudoRunAsGroup is present, match on the invoking user if the -g option was specified and the group matched. If no sudoRunAsGroup is present and the -g option was specified, allow it if it matches the passwd gid of the runas user. This matches the behavior of the sudoers backend. [e1a52c34da5e] There are also a few other changes, I suggest you take a look and make sure you didn?t hit one of these before digging in further. You may also wanto to cc: sudo-users@: https://www.sudo.ws/mailman/listinfo/sudo-users Best regards ? Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From dam at opencsw.org Mon Nov 7 15:06:09 2016 From: dam at opencsw.org (Dagobert Michelsen) Date: Mon, 7 Nov 2016 15:06:09 +0100 Subject: issue with sudo_ldap In-Reply-To: <692ADCA484924641B07B865E8150815554A413EF@AMSMBX01.ad.syniverse.com> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A413EF@AMSMBX01.ad.syniverse.com> Message-ID: <57D61EE3-69B7-4C03-8FC5-3B1DB12268C6@opencsw.org> Hi Stefan, Am 07.11.2016 um 14:56 schrieb Stefan Maass : > Thanks for your reply! > > I had seen the entry in the change log that you have mentioned below and I have tried using the -g switch as well, but it did not change anything. It just added one line into the output of the debug log other than that it does nothing and I am still not allowed to sudo as I was in the former sudo version. > > Nov 7 13:37:36 sudo[158099] will restore signal 13 on exec > Nov 7 13:37:36 sudo[158099] settings: runas_group=global_sysadmin > Nov 7 13:37:36 sudo[158099] settings: progname=sudo > Nov 7 13:37:36 sudo[158099] settings: network_addrs=10.161.120.147/255.255.254.0 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 > Nov 7 13:37:36 sudo[158099] settings: plugin_dir=/opt/csw/libexec/sudo/ > Nov 7 13:37:36 sudo[158099] policy plugin returns 0 > > It looks like it does not find the policy in LDAP that matches the right to switch user. Maybe you can enable request logging on your LDAP server and see how the SEARCH request looks like? > The other changes that have been done in regards of LDAP don't say much to me for now so I am not sure if they could be responsible for what I am facing. Apart from that I would expect an upstream issue as nothing has changed regarding the build perspective for OpenCSW. Best regards ? Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stefan.maass at syniverse.com Tue Nov 8 09:01:54 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Tue, 8 Nov 2016 08:01:54 +0000 Subject: AW: issue with sudo_ldap In-Reply-To: <57D61EE3-69B7-4C03-8FC5-3B1DB12268C6@opencsw.org> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A413EF@AMSMBX01.ad.syniverse.com> <57D61EE3-69B7-4C03-8FC5-3B1DB12268C6@opencsw.org> Message-ID: <692ADCA484924641B07B865E8150815554A42DE9@AMSMBX01.ad.syniverse.com> Hi Dagobert, I checked out the logs on our LDAP server and to me it looks quite similar. At least it looks like all the information from the client has been submitted to the server. Log output from LDAP server for session for server that does not work: [root at fr4p-gen-inf-ldp002 slapd-fr4p-gen-inf-ldp002]# grep 5338229 access [07/Nov/2016:17:09:10 +0100] conn=5338229 fd=162 slot=162 connection from 10.161.28.4 to 10.161.28.6 [07/Nov/2016:17:09:10 +0100] conn=5338229 op=0 BIND dn="uid=puser,ou=people,dc=syniverse,dc=com" method=128 version=3 [07/Nov/2016:17:09:10 +0100] conn=5338229 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=puser,ou=people,dc=syniverse,dc=com" [07/Nov/2016:17:09:10 +0100] conn=5338229 op=1 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(cn=defaults))" attrs=ALL [07/Nov/2016:17:09:10 +0100] conn=5338229 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [07/Nov/2016:17:09:10 +0100] conn=5338229 op=2 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(|(sudoUser=g701806)(sudoUser=%#40347)(sudoUser=%global_sysadmin)(sudoUser=%chs_sysadmin_prod)(sudoUser=%chs_dba_prod)(sudoUser=%#50000)(sudoUser=%#50191)(sudoUser=%#50203)(sudoUser=ALL)))" attrs=ALL [07/Nov/2016:17:09:10 +0100] conn=5338229 op=2 RESULT err=0 tag=101 nentries=14 etime=0 notes=U [07/Nov/2016:17:09:10 +0100] conn=5338229 op=3 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))" attrs=ALL [07/Nov/2016:17:09:10 +0100] conn=5338229 op=3 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [07/Nov/2016:17:09:10 +0100] conn=5338229 op=-1 fd=162 closed - B1 Log output from LDAP server for session for server that does work: [root at fr4p-gen-inf-ldp001 slapd-fr4p-gen-inf-ldp001]# grep 3086148 access [07/Nov/2016:17:10:21 +0100] conn=3086148 fd=97 slot=97 connection from 10.161.28.4 to 10.161.28.5 [07/Nov/2016:17:10:21 +0100] conn=3086148 op=0 BIND dn="uid=puser,ou=people,dc=syniverse,dc=com" method=128 version=3 [07/Nov/2016:17:10:21 +0100] conn=3086148 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=puser,ou=people,dc=syniverse,dc=com" [07/Nov/2016:17:10:21 +0100] conn=3086148 op=1 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(cn=defaults))" attrs=ALL [07/Nov/2016:17:10:21 +0100] conn=3086148 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [07/Nov/2016:17:10:21 +0100] conn=3086148 op=2 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(|(sudoUser=g701806)(sudoUser=%g701806)(sudoUser=%#40347)(sudoUser=%global_sysadmin)(sudoUser=%chs_dba_prod)(sudoUser=%chs_sysadmin_prod)(sudoUser=%ic_opsadm_prod)(sudoUser=%chs_opsadmin_prod)(sudoUser=%comm_opsadmin_prod)(sudoUser=%#50000)(sudoUser=%#50203)(sudoUser=%#50191)(sudoUser=%#50463)(sudoUser=%#50518)(sudoUser=%#50544)(sudoUser=ALL)))" attrs=ALL [07/Nov/2016:17:10:21 +0100] conn=3086148 op=2 RESULT err=0 tag=101 nentries=17 etime=0 notes=U [07/Nov/2016:17:10:21 +0100] conn=3086148 op=3 SRCH base="ou=sudoers,dc=syniverse,dc=com" scope=2 filter="(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))" attrs=ALL [07/Nov/2016:17:10:21 +0100] conn=3086148 op=3 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [07/Nov/2016:17:10:21 +0100] conn=3086148 op=4 UNBIND [07/Nov/2016:17:10:21 +0100] conn=3086148 op=4 fd=97 closed - U1 Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Dagobert Michelsen [mailto:dam at opencsw.org] Gesendet: Montag, 7. November 2016 15:06 An: Stefan Maass Cc: users at lists.opencsw.org; sudo-users at sudo.ws Betreff: Re: issue with sudo_ldap Hi Stefan, Am 07.11.2016 um 14:56 schrieb Stefan Maass : > Thanks for your reply! > > I had seen the entry in the change log that you have mentioned below and I have tried using the -g switch as well, but it did not change anything. It just added one line into the output of the debug log other than that it does nothing and I am still not allowed to sudo as I was in the former sudo version. > > Nov 7 13:37:36 sudo[158099] will restore signal 13 on exec Nov 7 > 13:37:36 sudo[158099] settings: runas_group=global_sysadmin Nov 7 > 13:37:36 sudo[158099] settings: progname=sudo Nov 7 13:37:36 > sudo[158099] settings: network_addrs=10.161.120.147/255.255.254.0 > 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 > 13:37:36 sudo[158099] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov > 7 13:37:36 sudo[158099] policy plugin returns 0 > > It looks like it does not find the policy in LDAP that matches the right to switch user. Maybe you can enable request logging on your LDAP server and see how the SEARCH request looks like? > The other changes that have been done in regards of LDAP don't say much to me for now so I am not sure if they could be responsible for what I am facing. Apart from that I would expect an upstream issue as nothing has changed regarding the build perspective for OpenCSW. Best regards ? Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From stefan.maass at syniverse.com Tue Nov 8 16:57:09 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Tue, 8 Nov 2016 15:57:09 +0000 Subject: AW: issue with sudo_ldap References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> Message-ID: <692ADCA484924641B07B865E8150815554A44542@AMSMBX01.ad.syniverse.com> Hi Dagobert, Digging a little deeper it looks like there is an issue with the sudoHost part. I have enabled debugging in /etc/opt/csw/ldap.conf and the result shows that it does not recognize any of the netgroups. Even if we added the one host that I am testing on explicitely it does not recognize it. We have played around with that a bit and as the sudo manpage that "Negated sudoHost entries are only supported by version 1.8.18 or higher.", we have created a negated sudoHost entry in LDAP which did not have any effect. So it looks like every sudoHost entry is being negated in general. Here is the output of the debugged sudo command to switch to a specific user and then "sudo -l" which shows that it does not find any sudoHost entry matching. This output is from when we had the specific host am1p-gen-chs-app001 negated, but it looks exactly the same if it is not negated. pts/1|root at am1p-gen-chs-app001:/etc/opt/csw# sudo su - g706553 sudo: LDAP Config Summary sudo: =================== sudo: host am1p-gen-inf-ldp001.am1.syniverse.com,am1p-gen-inf-ldp002.am1.syniverse.com,fr4p-gen-inf-ldp001.fr4.syniverse.com,fr4p-gen-inf-ldp002.fr4.syniverse.com sudo: port -1 sudo: ldap_version 3 sudo: sudoers_base ou=sudoers,dc=syniverse,dc=com sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn uid=puser,ou=people,dc=syniverse,dc=com sudo: bindpw sudo: ssl start_tls sudo: tls_cacertdir /etc/opt/csw/ssl/certs sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/opt/csw/ssl/certs sudo: ldap_init(am1p-gen-inf-ldp001.am1.syniverse.com,am1p-gen-inf-ldp002.am1.syniverse.com,fr4p-gen-inf-ldp001.fr4.syniverse.com,fr4p-gen-inf-ldp002.fr4.syniverse.com, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() sudo: ldap_simple_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: found:cn=defaults,ou=SUDOers,dc=syniverse,dc=com sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap sudoOption: '!authenticate' sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap sudoOption: '!authenticate' sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=root)(sudoUser=%root)(sudoUser=%#0)(sudoUser=%other)(sudoUser=%bin)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%uucp)(sudoUser=%mail)(sudoUser=%tty)(sudoUser=%lp)(sudoUser=%nuucp)(sudoUser=%daemon)(sudoUser=%#1)(sudoUser=%#2)(sudoUser=%#3)(sudoUser=%#4)(sudoUser=%#5)(sudoUser=%#6)(sudoUser=%#7)(sudoUser=%#8)(sudoUser=%#9)(sudoUser=%#12)(sudoUser=ALL)))' sudo: searching from base 'ou=sudoers,dc=syniverse,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' sudo: searching from base 'ou=sudoers,dc=syniverse,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=false sudo: host_matches=false sudo: sudo_ldap_lookup(0)=0x02 sudo: removing reusable search result bash.ori-3.2$ sudo -l sudo: LDAP Config Summary sudo: =================== sudo: host am1p-gen-inf-ldp001.am1.syniverse.com,am1p-gen-inf-ldp002.am1.syniverse.com,fr4p-gen-inf-ldp001.fr4.syniverse.com,fr4p-gen-inf-ldp002.fr4.syniverse.com sudo: port -1 sudo: ldap_version 3 sudo: sudoers_base ou=sudoers,dc=syniverse,dc=com sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn uid=puser,ou=people,dc=syniverse,dc=com sudo: bindpw sudo: ssl start_tls sudo: tls_cacertdir /etc/opt/csw/ssl/certs sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/opt/csw/ssl/certs sudo: ldap_init(am1p-gen-inf-ldp001.am1.syniverse.com,am1p-gen-inf-ldp002.am1.syniverse.com,fr4p-gen-inf-ldp001.fr4.syniverse.com,fr4p-gen-inf-ldp002.fr4.syniverse.com, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() sudo: ldap_simple_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: found:cn=defaults,ou=SUDOers,dc=syniverse,dc=com sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap sudoOption: '!authenticate' sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap sudoOption: '!authenticate' sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=g706553)(sudoUser=%g706553)(sudoUser=%#50168)(sudoUser=%prod)(sudoUser=%chs_ind_cust_ops_prod)(sudoUser=%chs_na_cust_ops_prod)(sudoUser=%chs_eu_cust_ops_prod)(sudoUser=%dch_ops_level2_prod)(sudoUser=%#11)(sudoUser=%#50207)(sudoUser=%#50206)(sudoUser=%#50202)(sudoUser=%#50570)(sudoUser=ALL)))' sudo: searching from base 'ou=sudoers,dc=syniverse,dc=com' sudo: adding search result sudo: ldap sudoHost '+hosts_chs_ind_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_ind_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_na_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_na_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_na_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_chs_eu_cust_ops_prod' ... not sudo: ldap sudoHost '+hosts_dch_ops_level2_prod_dchops' ... not sudo: ldap sudoHost 'am1p-gen-chs-app001' ... not sudo: result now has 0 entries sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' sudo: searching from base 'ou=sudoers,dc=syniverse,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: perform search for pwflag 54 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=false sudo: sudo_ldap_lookup(54)=0x84 Sorry, user g706553 may not run sudo on am1p-gen-chs-app001. Thanks and Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Stefan Maass Gesendet: Montag, 7. November 2016 14:57 An: 'Dagobert Michelsen' Cc: users at lists.opencsw.org; 'sudo-users at sudo.ws' Betreff: AW: issue with sudo_ldap Hi Dagobert, Thanks for your reply! I had seen the entry in the change log that you have mentioned below and I have tried using the -g switch as well, but it did not change anything. It just added one line into the output of the debug log other than that it does nothing and I am still not allowed to sudo as I was in the former sudo version. Nov 7 13:37:36 sudo[158099] will restore signal 13 on exec Nov 7 13:37:36 sudo[158099] settings: runas_group=global_sysadmin Nov 7 13:37:36 sudo[158099] settings: progname=sudo Nov 7 13:37:36 sudo[158099] settings: network_addrs=10.161.120.147/255.255.254.0 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 13:37:36 sudo[158099] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 13:37:36 sudo[158099] policy plugin returns 0 It looks like it does not find the policy in LDAP that matches the right to switch user. The other changes that have been done in regards of LDAP don't say much to me for now so I am not sure if they could be responsible for what I am facing. Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Dagobert Michelsen [mailto:dam at opencsw.org] Gesendet: Montag, 7. November 2016 13:10 An: Stefan Maass Cc: users at lists.opencsw.org Betreff: Re: issue with sudo_ldap Hi Stefan, Am 07.11.2016 um 11:52 schrieb Stefan Maass : > It looks like we ran into a new issue and I hope you are the right person to contact. At least I can see that the package (I think) is involved has been packaged by you. > > I have recently done an upgrade of a few packages including sudo and sudo_ldap on a few nodes. The former versions were as follows: > > CSWsudo ? VERSION: 1.8.16,REV=2016.03.18 > CSWsudo-ldap ? VERSION: 1.8.16,REV=2016.03.18 > > The new versions are: > > CSWsudo ? VERSION: 1.8.18,REV=2016.09.21 > CSWsudo-ldap ? VERSION: 1.8.18,REV=2016.09.21 > > Interestingly on the servers with the older version and also on the servers with the newer version the command /opt/csw/bin/pkgutil --version CSWsudo-ldap shows 2.6.7. So it looks like it is in fact the same package. pkgutil ?version shows the version of pkgutil. Try > dam at unstable10s [unstable10s]:/home/dam > pkgutil -c sudo sudo_ldap > You're not root and didn't set -W, using home dir. > => Fetching new catalog and descriptions (file:///export/mirror/opencsw-official/unstable/sparc/5.10) if available ... > ==> 3948 packages loaded from /home/dam/.pkgutil/catalog._export_mirror_opencsw-official_unstable_sparc_5.10 > package installed catalog > CSWsudo 1.8.18p1,REV=2016.10.28 SAME > The issue that we have is that since I have upgraded the sudo packages LDAP users are not able anymore to use sudo as it seems that the information from the LDAP server is not received. > > This example output is from a server where sudo works: > > pts/23|root at fr4u-gen-chs-app001:/root# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app001 set! > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > pts/23|root at fr4u-gen-chs-app001:/root# ^D > fr4u-gen-chs-app001:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() Matching Defaults entries for g701806 on fr4u-gen-chs-app001: > loglinelen=0, logfile=/var/adm/sudolog, ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, !syslog, > timestamp_timeout=10, !authenticate > > User g701806 may run the following commands on fr4u-gen-chs-app001: > (root) ALL > > This example output is from a server where sudo does not work: > > pts/5|root at fr4u-gen-chs-app002:/var/log# sudo su - g701806 > sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() > Oracle Corporation SunOS 5.10 Generic Patch January 2005 > LOGIN NAME: g701806 > ORACLE DATABASE: chdev > Clearing House profile executed. > development environment for server fr4u-gen-chs-app002 set! > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo su - > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() > g701806 is not allowed to run sudo on fr4u-gen-chs-app002. This incident will be reported. > fr4u-gen-chs-app002:DEVELOP\&chdev\&/ldap/home/g701806: sudo -l > sudo: start_tls specified but LDAP libs do not support > ldap_start_tls_s() or ldap_start_tls_s_np() Sorry, user g701806 may not run sudo on fr4u-gen-chs-app002. > > I am not sure if this output helps, but I have added a line to sudo.conf to debug sudo. So here is what appears in the sudo_debug log when I execute the command ?sudo su ?? on the server where sudo works: > > Nov 7 11:13:42 sudo[535884] settings: progname=sudo Nov 7 11:13:42 > sudo[535884] settings: network_addrs=10.161.120.146/255.255.254.0 > 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 > 11:13:42 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov > 7 11:13:43 sudo[535884] policy plugin returns 1 Nov 7 11:13:43 > sudo[535884] settings: progname=sudo Nov 7 11:13:43 sudo[535884] > settings: network_addrs=10.161.120.146/255.255.254.0 > 10.161.146.17/255.255.255.0 10.161.146.25/255.255.255.0 Nov 7 11:13:43 sudo[535884] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov 7 11:13:43 sudo[535884] command info from plugin: > Nov 7 11:13:43 sudo[535884] 0: command=/usr/bin/su > Nov 7 11:13:43 sudo[535884] 1: runas_uid=0 > Nov 7 11:13:43 sudo[535884] 2: runas_gid=0 > Nov 7 11:13:43 sudo[535884] 3: runas_groups=0,1,2,3,4,5,6,7,8,9,12 > Nov 7 11:13:43 sudo[535884] 4: closefrom=3 > Nov 7 11:13:43 sudo[535884] 5: set_utmp=true > Nov 7 11:13:43 sudo[535884] 6: umask=022 > Nov 7 11:13:43 sudo[535884] executed /usr/bin/su, pid 535901 Nov 7 > 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44628 to base 4b4d0 > Nov 7 11:13:43 sudo[535884] sudo_ev_add_v1: adding event 44668 to > base 4b4d0 Nov 7 11:13:43 sudo[535884] signal pipe fd 7 Nov 7 > 11:13:43 sudo[535884] backchannel fd 9 Nov 7 11:13:43 sudo[535901] > exec /usr/bin/su [su -] Nov 7 11:13:43 sudo[535884] > sudo_ev_scan_impl: 1 fds ready Nov 7 11:13:43 sudo[535884] failed to > read child status: EOF Nov 7 11:13:43 sudo[535884] sudo_ev_del_v1: > removing event 44668 from base 4b4d0 > > And here is the output from the server where sudo does not work: > > Nov 7 11:12:02 sudo[152587] will restore signal 13 on exec Nov 7 > 11:12:02 sudo[152587] settings: progname=sudo Nov 7 11:12:02 > sudo[152587] settings: network_addrs=10.161.120.147/255.255.254.0 > 10.161.146.18/255.255.255.0 10.161.146.26/255.255.255.0 Nov 7 > 11:12:02 sudo[152587] settings: plugin_dir=/opt/csw/libexec/sudo/ Nov > 7 11:12:02 sudo[152587] policy plugin returns 0 Maybe a look in the Changelog helps: https://www.sudo.ws/changes.html * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix matching when no sudoRunAsUser is present in a sudoRole. If only a sudoRunAsGroup is present, match on the invoking user if the -g option was specified and the group matched. If no sudoRunAsGroup is present and the -g option was specified, allow it if it matches the passwd gid of the runas user. This matches the behavior of the sudoers backend. [e1a52c34da5e] There are also a few other changes, I suggest you take a look and make sure you didn?t hit one of these before digging in further. You may also wanto to cc: sudo-users@: https://www.sudo.ws/mailman/listinfo/sudo-users Best regards ? Dago -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From stefan.maass at syniverse.com Tue Nov 8 17:12:17 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Tue, 8 Nov 2016 16:12:17 +0000 Subject: AW: [sudo-users] issue with sudo_ldap In-Reply-To: <59de8f7b5e8e9119@courtesan.com> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A413EF@AMSMBX01.ad.syniverse.com> <59de8f7b5e8e9119@courtesan.com> Message-ID: <692ADCA484924641B07B865E8150815554A44596@AMSMBX01.ad.syniverse.com> Hi Todd, Sorry, I have seen your email too late. I have just written a new mail that contains debug information from the debugging entry in ldap.conf. I have now also added the debug line to sudo.conf, but when I add ldap at debug it unfortunately logs nothing. I have added all at debug instead, even it is a bit more information. You will find the file attached. Please let me know if you need anything further. Thanks and Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Gesendet: Dienstag, 8. November 2016 16:35 An: Stefan Maass Cc: Dagobert Michelsen ; sudo-users at sudo.ws; users at lists.opencsw.org Betreff: Re: [sudo-users] issue with sudo_ldap If you could include ldap debugging information for the version that is not working that might provide some hints. Something like: Debug sudoers.so /var/adm/sudoers_debug ldap at debug in sudo.conf will do it. - todd -------------- next part -------------- A non-text attachment was scrubbed... Name: sudo_debug Type: application/octet-stream Size: 39904 bytes Desc: sudo_debug URL: From stefan.maass at syniverse.com Wed Nov 9 09:29:14 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Wed, 9 Nov 2016 08:29:14 +0000 Subject: AW: [sudo-users] issue with sudo_ldap In-Reply-To: <59dea6ec7bcb64ec@courtesan.com> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A44542@AMSMBX01.ad.syniverse.com> <59dea6ec7bcb64ec@courtesan.com> Message-ID: <692ADCA484924641B07B865E8150815554A4A32E@AMSMBX01.ad.syniverse.com> Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list. Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Gesendet: Dienstag, 8. November 2016 22:37 An: Stefan Maass Cc: Dagobert Michelsen ; Sreejith Kuzhivayalil ; sudo-users at sudo.ws; users at lists.opencsw.org Betreff: Re: [sudo-users] issue with sudo_ldap There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match. I'm not sure that explains what you are seeing though. I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 Below is the same diff based on 1.8.18p1 rather than trunk. - todd diff -r abda86e3b777 plugins/sudoers/ldap.c --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 @@ -721,20 +721,21 @@ { struct berval **bv, **p; char *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) if (!entry) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoHost"); if (bv == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* walk through values */ - for (p = bv; *p != NULL && !foundbang; p++) { + for (p = bv; *p != NULL && matched != false; p++) { + bool foundbang = false; + val = (*p)->bv_val; if (*val == '!') { @@ -746,14 +747,17 @@ if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, user_runhost, user_srunhost, def_netgroup_tuple ? pw->pw_name : NULL) || - hostname_matches(user_srunhost, user_runhost, val)) - ret = !foundbang; - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + hostname_matches(user_srunhost, user_runhost, val)) { + + matched = foundbang ? false : true; + } + DPRINTF2("ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } ldap_value_free_len(bv); /* cleanup */ - debug_return_bool(ret); + debug_return_bool(matched == true); } static int diff -r abda86e3b777 plugins/sudoers/sssd.c --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 @@ -741,13 +741,12 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { char **val_array, *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; int i; debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); if (rule == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the rule */ switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ debug_return_bool(false); default: sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); - debug_return_bool(ret); + debug_return_bool(false); } /* walk through values */ - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { + for (i = 0; val_array[i] != NULL && matched != false; ++i) { + bool foundbang = false; + val = val_array[i]; sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); @@ -775,16 +776,18 @@ if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, handle->host, handle->shost, def_netgroup_tuple ? handle->pw->pw_name : NULL) || - hostname_matches(handle->shost, handle->host, val)) - ret = !foundbang; + hostname_matches(handle->shost, handle->host, val)) { - sudo_debug_printf(SUDO_DEBUG_INFO, - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + matched = foundbang ? false : true; + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } handle->fn_free_values(val_array); - debug_return_bool(ret); + debug_return_bool(matched == true); } /* From dam at opencsw.org Wed Nov 9 09:55:15 2016 From: dam at opencsw.org (Dagobert Michelsen) Date: Wed, 9 Nov 2016 09:55:15 +0100 Subject: [sudo-users] issue with sudo_ldap In-Reply-To: <692ADCA484924641B07B865E8150815554A4A32E@AMSMBX01.ad.syniverse.com> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A44542@AMSMBX01.ad.syniverse.com> <59dea6ec7bcb64ec@courtesan.com> <692ADCA484924641B07B865E8150815554A4A32E@AMSMBX01.ad.syniverse.com> Message-ID: <616150E8-90CF-41DF-99B1-866F827E548A@opencsw.org> Hi Stefan, Am 09.11.2016 um 09:29 schrieb Stefan Maass : > Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list. I made new packages with the patch applied which will appear here soon: http://buildfarm.opencsw.org/experimental.html#sudo You may want to give them a try. Best regards ? Dago > > Regards, > Stefan > > -----Urspr?ngliche Nachricht----- > Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com] > Gesendet: Dienstag, 8. November 2016 22:37 > An: Stefan Maass > Cc: Dagobert Michelsen ; Sreejith Kuzhivayalil ; sudo-users at sudo.ws; users at lists.opencsw.org > Betreff: Re: [sudo-users] issue with sudo_ldap > > There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match. I'm not sure that explains what you are seeing though. > > I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 > Below is the same diff based on 1.8.18p1 rather than trunk. > > - todd > > diff -r abda86e3b777 plugins/sudoers/ldap.c > --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 > @@ -721,20 +721,21 @@ > { > struct berval **bv, **p; > char *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) > > if (!entry) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the entry */ > bv = ldap_get_values_len(ld, entry, "sudoHost"); > if (bv == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* walk through values */ > - for (p = bv; *p != NULL && !foundbang; p++) { > + for (p = bv; *p != NULL && matched != false; p++) { > + bool foundbang = false; > + > val = (*p)->bv_val; > > if (*val == '!') { > @@ -746,14 +747,17 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, user_runhost, user_srunhost, > def_netgroup_tuple ? pw->pw_name : NULL) || > - hostname_matches(user_srunhost, user_runhost, val)) > - ret = !foundbang; > - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + hostname_matches(user_srunhost, user_runhost, val)) { > + > + matched = foundbang ? false : true; > + } > + DPRINTF2("ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > ldap_value_free_len(bv); /* cleanup */ > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > static int > diff -r abda86e3b777 plugins/sudoers/sssd.c > --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 > @@ -741,13 +741,12 @@ > sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { > char **val_array, *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > int i; > debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); > > if (rule == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the rule */ > switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ > debug_return_bool(false); > default: > sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); > - debug_return_bool(ret); > + debug_return_bool(false); > } > > /* walk through values */ > - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { > + for (i = 0; val_array[i] != NULL && matched != false; ++i) { > + bool foundbang = false; > + > val = val_array[i]; > sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); > > @@ -775,16 +776,18 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, handle->host, handle->shost, > def_netgroup_tuple ? handle->pw->pw_name : NULL) || > - hostname_matches(handle->shost, handle->host, val)) > - ret = !foundbang; > + hostname_matches(handle->shost, handle->host, val)) { > > - sudo_debug_printf(SUDO_DEBUG_INFO, > - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + matched = foundbang ? false : true; > + } > + > + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > handle->fn_free_values(val_array); > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > /* -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stefan.maass at syniverse.com Wed Nov 9 10:25:13 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Wed, 9 Nov 2016 09:25:13 +0000 Subject: AW: [sudo-users] issue with sudo_ldap In-Reply-To: <616150E8-90CF-41DF-99B1-866F827E548A@opencsw.org> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A44542@AMSMBX01.ad.syniverse.com> <59dea6ec7bcb64ec@courtesan.com> <692ADCA484924641B07B865E8150815554A4A32E@AMSMBX01.ad.syniverse.com> <616150E8-90CF-41DF-99B1-866F827E548A@opencsw.org> Message-ID: <692ADCA484924641B07B865E8150815554A4A548@AMSMBX01.ad.syniverse.com> Hi Dagobert, I definitely will. I just downloaded the package. Will give you an update after I have tried it out. Thanks and Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Dagobert Michelsen [mailto:dam at opencsw.org] Gesendet: Mittwoch, 9. November 2016 09:55 An: Stefan Maass Cc: Todd C. Miller ; Sreejith Kuzhivayalil ; sudo-users at sudo.ws; users at lists.opencsw.org Betreff: Re: [sudo-users] issue with sudo_ldap Hi Stefan, Am 09.11.2016 um 09:29 schrieb Stefan Maass : > Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list. I made new packages with the patch applied which will appear here soon: http://buildfarm.opencsw.org/experimental.html#sudo You may want to give them a try. Best regards ? Dago > > Regards, > Stefan > > -----Urspr?ngliche Nachricht----- > Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com] > Gesendet: Dienstag, 8. November 2016 22:37 > An: Stefan Maass > Cc: Dagobert Michelsen ; Sreejith Kuzhivayalil > ; sudo-users at sudo.ws; > users at lists.opencsw.org > Betreff: Re: [sudo-users] issue with sudo_ldap > > There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match. I'm not sure that explains what you are seeing though. > > I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 > Below is the same diff based on 1.8.18p1 rather than trunk. > > - todd > > diff -r abda86e3b777 plugins/sudoers/ldap.c > --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 > @@ -721,20 +721,21 @@ > { > struct berval **bv, **p; > char *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) > > if (!entry) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the entry */ > bv = ldap_get_values_len(ld, entry, "sudoHost"); > if (bv == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* walk through values */ > - for (p = bv; *p != NULL && !foundbang; p++) { > + for (p = bv; *p != NULL && matched != false; p++) { > + bool foundbang = false; > + > val = (*p)->bv_val; > > if (*val == '!') { > @@ -746,14 +747,17 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, user_runhost, user_srunhost, > def_netgroup_tuple ? pw->pw_name : NULL) || > - hostname_matches(user_srunhost, user_runhost, val)) > - ret = !foundbang; > - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + hostname_matches(user_srunhost, user_runhost, val)) { > + > + matched = foundbang ? false : true; > + } > + DPRINTF2("ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > ldap_value_free_len(bv); /* cleanup */ > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > static int > diff -r abda86e3b777 plugins/sudoers/sssd.c > --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 > @@ -741,13 +741,12 @@ > sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { > char **val_array, *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > int i; > debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); > > if (rule == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the rule */ > switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ > debug_return_bool(false); > default: > sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); > - debug_return_bool(ret); > + debug_return_bool(false); > } > > /* walk through values */ > - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { > + for (i = 0; val_array[i] != NULL && matched != false; ++i) { > + bool foundbang = false; > + > val = val_array[i]; > sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); > > @@ -775,16 +776,18 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, handle->host, handle->shost, > def_netgroup_tuple ? handle->pw->pw_name : NULL) || > - hostname_matches(handle->shost, handle->host, val)) > - ret = !foundbang; > + hostname_matches(handle->shost, handle->host, val)) { > > - sudo_debug_printf(SUDO_DEBUG_INFO, > - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + matched = foundbang ? false : true; > + } > + > + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > handle->fn_free_values(val_array); > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > /* -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From stefan.maass at syniverse.com Wed Nov 9 12:51:26 2016 From: stefan.maass at syniverse.com (Stefan Maass) Date: Wed, 9 Nov 2016 11:51:26 +0000 Subject: AW: [sudo-users] issue with sudo_ldap In-Reply-To: <616150E8-90CF-41DF-99B1-866F827E548A@opencsw.org> References: <692ADCA484924641B07B865E8150815554A40EF0@AMSMBX01.ad.syniverse.com> <692ADCA484924641B07B865E8150815554A44542@AMSMBX01.ad.syniverse.com> <59dea6ec7bcb64ec@courtesan.com> <692ADCA484924641B07B865E8150815554A4A32E@AMSMBX01.ad.syniverse.com> <616150E8-90CF-41DF-99B1-866F827E548A@opencsw.org> Message-ID: <692ADCA484924641B07B865E8150815554A4A8F8@AMSMBX01.ad.syniverse.com> Hi Dagobert, hi Todd, I have tested the patch that you provided and I can confirm that it works for me. The host entries are matching now and sudo is possible again. Thanks and Regards, Stefan -----Urspr?ngliche Nachricht----- Von: Dagobert Michelsen [mailto:dam at opencsw.org] Gesendet: Mittwoch, 9. November 2016 09:55 An: Stefan Maass Cc: Todd C. Miller ; Sreejith Kuzhivayalil ; sudo-users at sudo.ws; users at lists.opencsw.org Betreff: Re: [sudo-users] issue with sudo_ldap Hi Stefan, Am 09.11.2016 um 09:29 schrieb Stefan Maass : > Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list. I made new packages with the patch applied which will appear here soon: http://buildfarm.opencsw.org/experimental.html#sudo You may want to give them a try. Best regards ? Dago > > Regards, > Stefan > > -----Urspr?ngliche Nachricht----- > Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com] > Gesendet: Dienstag, 8. November 2016 22:37 > An: Stefan Maass > Cc: Dagobert Michelsen ; Sreejith Kuzhivayalil > ; sudo-users at sudo.ws; > users at lists.opencsw.org > Betreff: Re: [sudo-users] issue with sudo_ldap > > There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match. I'm not sure that explains what you are seeing though. > > I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 > Below is the same diff based on 1.8.18p1 rather than trunk. > > - todd > > diff -r abda86e3b777 plugins/sudoers/ldap.c > --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 > @@ -721,20 +721,21 @@ > { > struct berval **bv, **p; > char *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) > > if (!entry) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the entry */ > bv = ldap_get_values_len(ld, entry, "sudoHost"); > if (bv == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* walk through values */ > - for (p = bv; *p != NULL && !foundbang; p++) { > + for (p = bv; *p != NULL && matched != false; p++) { > + bool foundbang = false; > + > val = (*p)->bv_val; > > if (*val == '!') { > @@ -746,14 +747,17 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, user_runhost, user_srunhost, > def_netgroup_tuple ? pw->pw_name : NULL) || > - hostname_matches(user_srunhost, user_runhost, val)) > - ret = !foundbang; > - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + hostname_matches(user_srunhost, user_runhost, val)) { > + > + matched = foundbang ? false : true; > + } > + DPRINTF2("ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > ldap_value_free_len(bv); /* cleanup */ > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > static int > diff -r abda86e3b777 plugins/sudoers/sssd.c > --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 > @@ -741,13 +741,12 @@ > sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { > char **val_array, *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > int i; > debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); > > if (rule == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the rule */ > switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ > debug_return_bool(false); > default: > sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); > - debug_return_bool(ret); > + debug_return_bool(false); > } > > /* walk through values */ > - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { > + for (i = 0; val_array[i] != NULL && matched != false; ++i) { > + bool foundbang = false; > + > val = val_array[i]; > sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); > > @@ -775,16 +776,18 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, handle->host, handle->shost, > def_netgroup_tuple ? handle->pw->pw_name : NULL) || > - hostname_matches(handle->shost, handle->host, val)) > - ret = !foundbang; > + hostname_matches(handle->shost, handle->host, val)) { > > - sudo_debug_printf(SUDO_DEBUG_INFO, > - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + matched = foundbang ? false : true; > + } > + > + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > handle->fn_free_values(val_array); > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > /* -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896 From tosmi at opencsw.org Thu Nov 24 18:06:44 2016 From: tosmi at opencsw.org (Toni Schmidbauer) Date: Thu, 24 Nov 2016 18:06:44 +0100 Subject: [HEADSUP] updated puppet3 packages are coming Message-ID: <87y40824ez.fsf@opencsw.org> dear opencsw-users, i'm going to upload the following new puppet 3 packages within the next few hours to unstable: - puppet3 3.8.7 - facter2 2.4.6 - augeas + libs 1.7.0 please test an let me know if anything breaks. a short outlook to the future of puppet3 and opencsw: puppet.com announced that puppet 3 and facter 2 will now longer be supported by the end of the year. so i will try to provide a puppet4 agent only package via opencsw and drop support for running a puppet 4 master on solaris. reason being that puppet 4 relies on puppetserver which runs within the jvm (using jruby). imho packaging the puppetserver is to much of a hassle and not worth the effort. one problem is that puppet 4 requires facter version 3 which was rewritten in C++ using the boost libraries. so i also have to update the opencsw boost stuff. i don't know if this is going to work out because this is complete new land for me. if anyone would like to step up and help me updating boost, ruby and the other requirements for facter: GCC 4.8+ or Clang 5.0+ (OSX) CMake >= 3.2.2 Boost C++ Libraries >= 1.54 yaml-cpp >= 0.5.1 leatherman >= 0.3.4 cpp-hocon >= 0.1.0 please feel free to contact me personally or drop an email to the users list. thanks for your time toni