Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): Bug 1042922
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Proposed title of this feature request Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD. What is the nature and description of the request? As of sudo-1.7 when sudo rules are defined in LDAP, sudoRunAs has been superseded by sudoRusAsUser with a fallback when the latter is not defined in the LDAP record. This RFE is to request the same behavior to be added to SSSD which currently has the use of sudoRusAsUser hardcoded when the ldap_sudorule_runasuser mapping is not defined. Why it is needed? Using sudo via sssd instead of LDAP introduces possible unauthorized root access on local server for all users logged on to the server which can be caused due to an incorrect (typo) or missing sudoRunAsUser mapping in the sssd.conf file. Functional requirements: Enable a fallback making SSSD to check for sudoRunAs when sudoRunAsUser is not found and no mapping has been configured. For each functional requirement listed, specify how it can be tested. - define a sudo rule in LDAP as: ~~~ dn: cn=support,ou=sudoers,dc=example,dc=com objectClass: sudoRole sudoOption: !authenticate sudoUser: someuser sudoHost: ALL cn: support sudoCommand: ALL sudoRunAs: support ~~~ - configure SSSD with no mapping (default) to use this LDAP tree - add to /etc/nsswitch.conf ~~~ sudoers: files sss ~~~ - as user someuser run 'sudo -l' which should show the command can only be executed by the support user ~~~ User someuser run the following commands on this host: (support) NOPASSWD: ALL ~~~ Are you willing to test? Yes
Makes sense, although not the highest priority. The sudo LDAP backend does the same, so this is needed to achieve 1:1 parity.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => review: True => 0 selected: => testsupdated: => 0
Fields changed
cc: => mmsrubar
milestone: NEEDS_TRIAGE => SSSD 1.12 beta
milestone: SSSD 1.12 beta => SSSD 1.12.1
owner: somebody => pbrezina status: new => assigned
changelog: => Implemeting this RFE would help legacy deployments that still use the sudoRunAs attribute. design: => N/A (trivial)
patch: 0 => 1
resolution: => fixed status: assigned => closed
This RFE was requested by downstream, moving to 1.11.7
milestone: SSSD 1.12.1 => SSSD 1.11.7
Metadata Update from @dpal: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.11.7
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3254
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.