Your message dated Sun, 14 Mar 2021 14:17:21 +0100 with message-id <YE4M4UOiD2JX/[email protected]> and subject line Re: Bug#373674: sudo-ldap: Lack of ordering contraints / sensible override options has caused the Debian Bug report #373674, regarding sudo-ldap: Lack of ordering contraints / sensible override options to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 373674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373674 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sudo-ldap Version: 1.6.8p12-4 Severity: normal Suppose the following normal /etc/sudoers entries user ALL=(ALL) NOPASSWD: /usr/bin/apt-get user ALL=(ALL) ALL This lets "user" run apt-get commands without entering a password, or any other command with it. The ordering in the file ensures that the specific rule for apt-get is hit before the general "ALL" rule. But now consider the following entries in LDAP: dn: cn=user,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: user sudoUser: user sudoHost: ALL sudoCommand: ALL dn: cn=user_noauth,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: user_noauth sudoUser: user sudoHost: ALL sudoCommand: /usr/bin/apt-get sudoOption: !authenticate Because LDAP search results are not ordered, either or other of these results could be returned first. The upshot here is that when running an "apt-get" command, half the times a password is required, and half not. This makes it unpredictable, and unusable for automated scripted tasks, which may rely on "sudo" being able to run non-interactively. I propose two methods that may solve this: 1. Store a "sudoPriority" or similar attribute, and sort the replies into order, thus allowing full ordering as would be achievable in the config file. 2. Apply some logic to the "strength" of the match, allowing more specific rules to override more general ones. Any specific command would override "ALL", any specific user would override "ALL", longer commands override shorter ones, etc... This might be more confusing though, as the exact order between user ALL=(ALL) ALL and ALL ALL=(ALL) /bin/some/command is not obvious - either could be correct. I suspect the first solution would be easier for users and administrators to understand. Also, it directly maps to the config file layout, allowing easy migration from a config file. And it allows expression of any rules that can be expressed in a config file, whereas the overriding order solution would not. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13-mh2.nim Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages sudo-ldap depends on: ii libc6 2.3.6-13 GNU C Library: Shared libraries ii libldap2 2.1.30-13 OpenLDAP libraries ii libpam-modules 0.79-3.1 Pluggable Authentication Modules f ii libpam0g 0.79-3.1 Pluggable Authentication Modules l sudo-ldap recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 1.8.2-1 On Sat, Mar 13, 2021 at 04:35:25PM +0100, Dennis Filder wrote: > This can be closed, I think Closing the bug, thanks for helping. In the future, feel free to directly email [email protected] with a Version pseudoheader directly. Setting the fixed attribute doesn't really close the bug, that's just a bookkeeping option. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
--- End Message ---
