osdir.com
mailing list archive

Subject: Re: Winbind group not visible to sudo? - msg#00016

List: tools.sudo.user

Date: Prev Next Index Thread: Prev Next Index
Sudo use getgrnam() to lookup groups and then does a string compare
to see if the user is a member. On some (most?) systems, getgrnam()
appears to only provide data for the first source specified in
nsswitch.conf that contained the group in question. This can cause
problems when the users are listed in a group db other than /etc/group
when /etc/group is the first source in /etc/nsswitch.conf. A
workaround is to change the order in /etc/nsswitch.conf.

The reason 'id' works is that it uses the supplemental group vector
directly (via getgroups(2)). Sudo 1.7 will also use the supplemental
group vector if it is present which helps work around this kind of
problem. The code to support this is already in the sudo cvs source
tree.

- todd
____________________________________________________________
sudo-users mailing list <sudo-users@xxxxxxx>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: How to test sudoers before deployment?

Todd C. Miller wrote: > You may find the testsudoers program useful. It is really more of > a developement tool for the parser but it does allow you to specify > a sudoers file and check commands based on user and host. > > You can add "testsudoers" to the PROGS variable in the Makefile or > just do "make testsudoers" to build it. Yes! That is very much useful to me in this context. Thanks for that hint. I can wrap it for my purposes from something that tests the parser to something that gives me a Yes/No answer about whether access is provided or not. Although for automated testing the return code is more useful. For the mail archive, I am able to script something very similar to this to build up a regression test for my changes. user=bob host=dementia cmd=/usr/bin/foo sudoers=./sudoers \ testsudoers $user $host $cmd < $sudoers \ | grep -q 'cmnd_match : 1' && echo Yes || echo No Thanks! Bob ____________________________________________________________ sudo-users mailing list <sudo-users@xxxxxxx> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users

Next Message by Date: click to view message preview

Luke Morgan/Luton/MTL is out of the office.

I will be out of the office starting 08/01/2005 and will not return until 18/01/2005. I will respond to your message when I return. If it is an urgent matter, please contact another member of IT support. ********************************************************************** This email message may contain privileged/confidential information and/or copyright material. It is intended only for the use of the person(s) to whom it is addressed and any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software and delete the material from your computer. The material contained in this message does not constitute a binding contract with any company within the MTL Instruments Group plc. Opinions, conclusions and other information in this email that do not relate to the official business of this organisation shall be understood as neither given nor endorsed by it. This message has been checked for viruses. ********************************************************************** ____________________________________________________________ sudo-users mailing list <sudo-users@xxxxxxx> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users

Previous Message by Thread: click to view message preview

Winbind group not visible to sudo?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, I'm now officially losing my mind here. My sudo does not seem to recognize %groups coming from winbind? I have a RHEL 3.0 box set up with Samba's winbind and Kerberos etc. and some PAM trickery so that a specific group (âUNIXAdminsâ) of users in our Active Directory can log in. Logging in (via SSH) and doing `id` shows that the OS as such recognizes the user, its primary group (âDomain Usersâ), and the other groups it's a member of; including the group I'm interested in (âUNIXAdminsâ). `id` shows both user/group names and uid/gid, so this lookup seems to be working. Further, `getent passwd <user>` and `getent group <group>` on the relevant user and group returns the expected information (sufficiently bog standard looking that I'm omitting it for brevity). Even adding the specific user to sudoers works as expected. However, setting sudoers to permit the group %UNIXAdmins fails. On the theory that sudo might be reading /etc/(passwd|group) directly instead of using getent() I tried strace'ing it. Tracing the commend directly failed due to some setuid oddness (which I guess is expected behaviour?), and stracing the pid from the point where sudo waits for the password revealed very little except that it opens two pipes whose names suggest they belong to winbind and Samba. It showed me nothing suggesting why sudo might be failing to recognize the group (strace output available if anyone is interested). So... Any suggestions? Am I missing something obvious? Anything else I could try to figure out what's going on here? BTW, I started out with the group called âUNIX Adminsâ and ran up against sudo's lack of support for group names containing spaces (which is shared by at least one PAM module, so I guess singeling out sudo would be unfair). I since changed the group name to âUNIXAdminsâ, and the change /seems/ to have been picked up everywhere, but I guess it might be lingering in its old form somewhere tripping me up. Also, the primary group of the user in question is âDomain Usersâ â i.e. containing a space character â so I guess this might be a problem? - -- Now Playing "Regulate" by "Warren G" from the album "HIP HOP The Collection (Disc 1)". - -- As a cat owner, I know this for a fact... Nothing says "I love you" like a decapitated gopher on your front porch. -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.0.3 iQA/AwUBQeEuqKPyPrIkdfXsEQJv1ACg77AyuFXlOkfySkY81sWzncw3jjwAoJFO 5epBPzrheZg8A8WivcUzNnuW =byFG -----END PGP SIGNATURE----- ____________________________________________________________ sudo-users mailing list <sudo-users@xxxxxxx> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users

Next Message by Thread: click to view message preview

Luke Morgan/Luton/MTL is out of the office.

I will be out of the office starting 08/01/2005 and will not return until 18/01/2005. I will respond to your message when I return. If it is an urgent matter, please contact another member of IT support. ********************************************************************** This email message may contain privileged/confidential information and/or copyright material. It is intended only for the use of the person(s) to whom it is addressed and any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software and delete the material from your computer. The material contained in this message does not constitute a binding contract with any company within the MTL Instruments Group plc. Opinions, conclusions and other information in this email that do not relate to the official business of this organisation shall be understood as neither given nor endorsed by it. This message has been checked for viruses. ********************************************************************** ____________________________________________________________ sudo-users mailing list <sudo-users@xxxxxxx> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by