Hi Dennis,
Le 30/03/2021 22:53, « Dennis Filder » <d.fil...@web.de> a écrit :
On Tue, Mar 30, 2021 at 10:17:11AM +0000, BRUN Eric wrote:
> In my file nsswitch.conf, I have :
>
> sudoers: files ldap
>
> Before update, that worked , first try to find account in "files"
> and then, if not found, try with ldap accounts.
>
> After update, it like "files" are ignored and ldap is directly used.
> I read logs files for this analyse.
This is not how sudo works by default. To quote the sudoers.ldap
manpage:
Sudo looks for a line beginning with sudoers: and uses this to
determine the search order. Note that sudo does not stop searching
after the first match and later matches take precedence over earlier
ones.
I suspect that before the upgrade the LDAP backend returned nothing,
and after the upgrade it started to return one or more entries, but
since those most likely do not have the "sudoOption: !authenticate"
attribute sudo prompts for a password (this was the only way I could
reproduce your observed behaviour).
These lines in your sudo-ldap-debug.log seem to confirm this:
...
sudo: adding search result
sudo: result now has 1 entries
...
Can you try if putting this
sudoers: files [SUCCESS=return] ldap
into /etc/nsswitch.conf fixes the issue? This way sudo stops
processing if a successful match in /etc/sudoers is found first (this
is not mentioned in the manpages, I learned of this by looking at the
code).
Yes, it solve my problem, thank you.
What do the LDAP entries for user nagios actually look like?
There is no "nagios" entry on the LDAP server.
I do must say though that using /etc/sudoers to specify exceptions to
rules in an LDAP backend is an unorthodox way of using sudo with LDAP
as it makes troubleshooting very complicated. If you want a command
to be runnable only on a subset of hosts then using separate per-host
entries in LDAP is the intended way. Otherwise someone looking just
at the LDAP output has no way of knowing what other rules might be in
effect or if the LDAP backend is overshadowed by a
[SUCCESS=return]/[NOTFOUND=return].
You are right, I will try to do better but for now your fix is the best and
faster approach in my context.
Thank you for yours wise advices.
Another issue: your sudo-ldap.conf specifies ldap: URIs whereas ldaps:
is probably more applicable to ensure TLS. Otherwise an attacker who
can manipulate packets in transit could use that to escalate his
privileges.
Thank you again and for spending time on this issue.
Regards,
Dennis.
Respectfully,
Eric
