#2212 [RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
Closed: Fixed None Opened 6 years ago by dpal.

Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): Bug 1042922

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Proposed title of this feature request
Add fallback to sudoRunAs when sudoRunAsUser is not defined and no
ldap_sudorule_runasuser mapping has been defined in SSSD.


What is the nature and description of the request?
As of sudo-1.7 when sudo rules are defined in LDAP, sudoRunAs has been
superseded by sudoRusAsUser with a fallback when the latter is not defined in
the LDAP record. This RFE is to request the same behavior to be added to SSSD
which currently has the use of sudoRusAsUser hardcoded when the
ldap_sudorule_runasuser mapping is not defined.

Why it is needed?
Using sudo via sssd instead of LDAP introduces possible unauthorized root access on local server for all users logged on to the server which can be caused due to an incorrect (typo) or missing sudoRunAsUser mapping in the sssd.conf file.

Functional requirements:
Enable a fallback making SSSD to check for sudoRunAs when sudoRunAsUser is
not found and no mapping has been configured.

For each functional requirement listed, specify how it can be tested.
- define a sudo rule in LDAP as:
~~~
dn: cn=support,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoOption: !authenticate
sudoUser: someuser
sudoHost: ALL
cn: support
sudoCommand: ALL
sudoRunAs: support
~~~
- configure SSSD with no mapping (default) to use this LDAP tree
- add to /etc/nsswitch.conf
~~~
sudoers:    files sss
~~~
- as user someuser run 'sudo -l' which should show the command can only be
  executed by the support user
~~~
User someuser run the following commands on this host:
    (support) NOPASSWD: ALL
~~~

Are you willing to test?
Yes

Makes sense, although not the highest priority. The sudo LDAP backend does the same, so this is needed to achieve 1:1 parity.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

cc: => mmsrubar

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12 beta

Fields changed

milestone: SSSD 1.12 beta => SSSD 1.12.1

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

changelog: => Implemeting this RFE would help legacy deployments that still use the sudoRunAs attribute.
design: => N/A (trivial)

Fields changed

patch: 0 => 1

Fields changed

resolution: => fixed
status: assigned => closed

This RFE was requested by downstream, moving to 1.11.7

milestone: SSSD 1.12.1 => SSSD 1.11.7

Metadata Update from @dpal:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3254

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata