Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): Bug 1042922
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Proposed title of this feature request
Add fallback to sudoRunAs when sudoRunAsUser is not defined and no
ldap_sudorule_runasuser mapping has been defined in SSSD.
What is the nature and description of the request?
As of sudo-1.7 when sudo rules are defined in LDAP, sudoRunAs has been
superseded by sudoRusAsUser with a fallback when the latter is not defined in
the LDAP record. This RFE is to request the same behavior to be added to SSSD
which currently has the use of sudoRusAsUser hardcoded when the
ldap_sudorule_runasuser mapping is not defined.
Why it is needed?
Using sudo via sssd instead of LDAP introduces possible unauthorized root access on local server for all users logged on to the server which can be caused due to an incorrect (typo) or missing sudoRunAsUser mapping in the sssd.conf file.
Enable a fallback making SSSD to check for sudoRunAs when sudoRunAsUser is
not found and no mapping has been configured.
For each functional requirement listed, specify how it can be tested.
- define a sudo rule in LDAP as:
- configure SSSD with no mapping (default) to use this LDAP tree
- add to /etc/nsswitch.conf
sudoers: files sss
- as user someuser run 'sudo -l' which should show the command can only be
executed by the support user
User someuser run the following commands on this host:
(support) NOPASSWD: ALL
Are you willing to test?
Makes sense, although not the highest priority. The sudo LDAP backend does the same, so this is needed to achieve 1:1 parity.
design_review: => 0
review: True => 0
testsupdated: => 0
cc: => mmsrubar
milestone: NEEDS_TRIAGE => SSSD 1.12 beta
milestone: SSSD 1.12 beta => SSSD 1.12.1
owner: somebody => pbrezina
status: new => assigned
changelog: => Implemeting this RFE would help legacy deployments that still use the sudoRunAs attribute.
design: => N/A (trivial)
patch: 0 => 1
resolution: => fixed
status: assigned => closed
This RFE was requested by downstream, moving to 1.11.7
milestone: SSSD 1.12.1 => SSSD 1.11.7
Metadata Update from @dpal:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.7
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.