From e7ba359abf341bac10195c41bb3d865e4fbb3460 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 29 Mar 2018 07:13:31 -0600 Subject: [PATCH] Add a section on convertion from file-based sudoers. --- doc/sudoers.ldap.cat | 141 ++++++++++++++++++++++------- doc/sudoers.ldap.man.in | 190 ++++++++++++++++++++++++++++++--------- doc/sudoers.ldap.mdoc.in | 180 ++++++++++++++++++++++++++++--------- 3 files changed, 396 insertions(+), 115 deletions(-) diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 02c80f9b5..b499288a3 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -32,20 +32,6 @@ DDEESSCCRRIIPPTTIIOONN when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. - Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in - LDAP, ssuuddoo-specific Aliases are not supported. - - For the most part, there is really no need for ssuuddoo-specific Aliases. - Unix groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can - be used in place of User_Aliases and Runas_Aliases. Host netgroups can - be used in place of Host_Aliases. Since groups and netgroups can also be - stored in LDAP there is no real need for ssuuddoo-specific aliases. - - Cmnd_Aliases are not really required either since it is possible to have - multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias - that is referenced by multiple users, one can create a sudoRole that - contains the commands and assign multiple users to it. - SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. @@ -55,7 +41,7 @@ DDEESSCCRRIIPPTTIIOONN SSH_AUTH_SOCK variable will be preserved in the environment for all users. - dn: cn=defaults,ou=SUDOers,dc=example,dc=com + dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults @@ -184,7 +170,7 @@ DDEESSCCRRIIPPTTIIOONN The following example allows users in group wheel to run any command on any host via ssuuddoo: - dn: cn=%wheel,ou=SUDOers,dc=example,dc=com + dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: %wheel @@ -231,10 +217,19 @@ DDEESSCCRRIIPPTTIIOONN significantly speed up ssuuddoo's execution time. DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - There are some subtle differences in the way sudoers is handled once in - LDAP. Probably the biggest is that according to the RFC, LDAP ordering - is arbitrary and you cannot expect that Attributes and Entries are - returned in any specific order. + One of the major differences between LDAP and file-based _s_u_d_o_e_r_s is that + in LDAP, ssuuddoo-specific Aliases are not supported. + + For the most part, there is little need for ssuuddoo-specific Aliases. Unix + groups, non-Unix groups (via the _g_r_o_u_p___p_l_u_g_i_n) or user netgroups can be + used in place of User_Aliases and Runas_Aliases. Host netgroups can be + used in place of Host_Aliases. Since groups and netgroups can also be + stored in LDAP there is no real need for ssuuddoo-specific aliases. + + There are also some subtle differences in the way sudoers is handled once + in LDAP. Probably the biggest is that according to the RFC, LDAP + ordering is arbitrary and you cannot expect that Attributes and Entries + are returned in any specific order. The order in which different entries are applied can be controlled using the sudoOrder attribute, but there is no way to guarantee the order of @@ -273,9 +268,9 @@ DDEESSCCRRIIPPTTIIOONN sudoCommand: !/bin/sh sudoCommand: ALL - Another difference is that negations on the Host, User or Runas are - currently ignored. For example, the following attributes do not behave - the way one might expect. + Another difference is that it is not possible to use negation in a + sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the + following attributes do not behave the way one might expect. # does not match all but joe # rather, does not match anyone @@ -286,10 +281,88 @@ DDEESSCCRRIIPPTTIIOONN sudoUser: ALL sudoUser: !joe - # does not match all but web01 - # rather, matches all hosts including web01 + CCoonnvveerrttiinngg bbeettwweeeenn ffiillee--bbaasseedd aanndd LLDDAAPP ssuuddooeerrss + The cvtsudoers(1) utility can be used to convert between file-based and + LDAP _s_u_d_o_e_r_s. However, there are features in the file-based sudoers that + have no equivalent in LDAP-based sudoers (and vice versa). These cannot + be converted automatically. + + For example, a Cmnd_Alias in a _s_u_d_o_e_r_s file may be converted to a + sudoRole that contains multiple commands. Multiple users and/or groups + may be assigned to the sudoRole. + + Also, host, user, runas and command-based Defaults entries are not + supported. However, a sudoRole may contain one or more sudoOption + attributes which can often serve the same purpose. + + Consider the following _s_u_d_o_e_r_s lines: + + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + Defaults!PAGERS noexec + alice, bob ALL = ALL + + In this example, alice and bob are allowed to run all commands, but the + commands listed in PAGERS will have the noexec flag set, preventing shell + escapes. + + When converting this to LDAP, two sudoRole objects can be used: + + dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com + objectClass: top + objectClass: sudoRole + cn: PAGERS + sudoUser: alice + sudoUser: bob + sudoHost: ALL + sudoCommand: /usr/bin/more + sudoCommand: /usr/bin/pg + sudoCommand: /usr/bin/less + sudoOption: noexec + sudoOrder: 900 + + dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com + objectClass: top + objectClass: sudoRole + cn: ADMINS + sudoUser: alice + sudoUser: bob + sudoHost: ALL + sudoCommand: ALL + sudoOrder: 100 + + In the LDAP version, the sudoOrder attribute is used to guarantee that + the PAGERS sudoRole with _n_o_e_x_e_c has precedence. Unlike the _s_u_d_o_e_r_s + version, the LDAP version requires that all users for whom the + restriction should apply be assigned to the PAGERS sudoRole. Using a + Unix group or netgroup in PAGERS rather than listing each user would make + this easier to maintain. + + Per-user Defaults entries can be emulated by using one or more sudoOption + attributes in a sudoRole. Consider the following _s_u_d_o_e_r_s lines: + + User_Alias ADMINS = john, sally + Defaults:ADMINS !authenticate + ADMINS ALL = (ALL:ALL) ALL + + In this example, john and sally are allowed to run any command as any + user or group. + + When converting this to LDAP, we can use a Unix group instead of the + User_Alias. + + dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com + objectClass: top + objectClass: sudoRole + cn: admins + sudoUser: %admin sudoHost: ALL - sudoHost: !web01 + sudoRunAsUser: ALL + sudoRunAsGroup: ALL + sudoCommand: ALL + sudoOption: !authenticate + + This assumes that users john and sally are members of the "admins" Unix + group. SSuuddooeerrss sscchheemmaa In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on @@ -370,9 +443,9 @@ DDEESSCCRRIIPPTTIIOONN NNEETTGGRROOUUPP__BBAASSEE _b_a_s_e The base DN to use when performing LDAP netgroup queries. - Typically this is of the form ou=netgroup,dc=example,dc=com for the - domain example.com. Multiple NNEETTGGRROOUUPP__BBAASSEE lines may be specified, - in which case they are queried in the order specified. + Typically this is of the form ou=netgroup,dc=my-domain,dc=com for + the domain my-domain.com. Multiple NNEETTGGRROOUUPP__BBAASSEE lines may be + specified, in which case they are queried in the order specified. This option can be used to query a user's netgroups directly via LDAP which is usually faster than fetching every sudoRole object @@ -452,8 +525,8 @@ DDEESSCCRRIIPPTTIIOONN SSUUDDOOEERRSS__BBAASSEE _b_a_s_e The base DN to use when performing ssuuddoo LDAP queries. Typically - this is of the form ou=SUDOers,dc=example,dc=com for the domain - example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in + this is of the form ou=SUDOers,dc=my-domain,dc=com for the domain + my-domain.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l @@ -714,7 +787,7 @@ EEXXAAMMPPLLEESS timelimit 30 # # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=example,dc=com + sudoers_base ou=SUDOers,dc=my-domain,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2 @@ -879,7 +952,7 @@ EEXXAAMMPPLLEESS ) SSEEEE AALLSSOO - ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4) + cvtsudoers(1), ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4) AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this version consists of @@ -912,4 +985,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 +Sudo 1.8.23 March 29, 2018 Sudo 1.8.23 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index b9029dbbc..10c7fda1c 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in .\" -.\" Copyright (c) 2003-2017 Todd C. Miller +.\" Copyright (c) 2003-2018 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "5" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "March 29, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -76,31 +76,6 @@ file. Since LDAP updates are atomic, locking is no longer necessary. Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. -.PP -Another major difference between LDAP and file-based -\fIsudoers\fR -is that in LDAP, -\fBsudo\fR-specific -Aliases are not supported. -.PP -For the most part, there is really no need for -\fBsudo\fR-specific -Aliases. -Unix groups, non-Unix groups (via the -\fIgroup_plugin\fR) -or user netgroups can be used in place of User_Aliases and Runas_Aliases. -Host netgroups can be used in place of Host_Aliases. -Since groups and netgroups can also be stored in LDAP there is no real need for -\fBsudo\fR-specific -aliases. -.PP -Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a -\fRsudoRole\fR. -Instead of defining a Cmnd_Alias that is referenced by multiple users, -one can create a -\fRsudoRole\fR -that contains the commands and assign multiple users to it. .SS "SUDOers LDAP container" The \fIsudoers\fR @@ -123,7 +98,7 @@ variable will be preserved in the environment for all users. .nf .sp .RS 4n -dn: cn=defaults,ou=SUDOers,dc=example,dc=com +dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults @@ -374,7 +349,7 @@ on any host via .nf .sp .RS 4n -dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: %wheel @@ -446,7 +421,24 @@ can significantly speed up \fBsudo\fR's execution time. .SS "Differences between LDAP and non-LDAP sudoers" -There are some subtle differences in the way sudoers is handled +One of the major differences between LDAP and file-based +\fIsudoers\fR +is that in LDAP, +\fBsudo\fR-specific +Aliases are not supported. +.PP +For the most part, there is little need for +\fBsudo\fR-specific +Aliases. +Unix groups, non-Unix groups (via the +\fIgroup_plugin\fR) +or user netgroups can be used in place of User_Aliases and Runas_Aliases. +Host netgroups can be used in place of Host_Aliases. +Since groups and netgroups can also be stored in LDAP there is no real need for +\fBsudo\fR-specific +aliases. +.PP +There are also some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are @@ -497,8 +489,8 @@ sudoCommand: ALL .RE .fi .PP -Another difference is that negations on the Host, User or Runas are -currently ignored. +Another difference is that it is not possible to use negation in a +sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the following attributes do not behave the way one might expect. .nf .sp @@ -511,13 +503,130 @@ sudoUser: !joe # rather, matches everyone including Joe sudoUser: ALL sudoUser: !joe +.RE +.fi +.SS "Converting between file-based and LDAP sudoers" +The +cvtsudoers(1) +utility can be used to convert between file-based and LDAP +\fIsudoers\fR. +However, there are features in the file-based sudoers that have +no equivalent in LDAP-based sudoers (and vice versa). +These cannot be converted automatically. +.PP +For example, a Cmnd_Alias in a +\fIsudoers\fR +file may be converted to a +\fRsudoRole\fR +that contains multiple commands. +Multiple users and/or groups may be assigned to the +\fRsudoRole\fR. +.PP +Also, host, user, runas and command-based +\fRDefaults\fR +entries are not supported. +However, a +\fRsudoRole\fR +may contain one or more +\fRsudoOption\fR +attributes which can often serve the same purpose. +.PP +Consider the following +\fIsudoers\fR +lines: +.nf +.sp +.RS 4n +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +Defaults!PAGERS noexec +alice, bob ALL = ALL +.RE +.fi +.PP +In this example, alice and bob are allowed to run all commands, but +the commands listed in PAGERS will have the noexec flag set, +preventing shell escapes. +.PP +When converting this to LDAP, two sudoRole objects can be used: +.nf +.sp +.RS 4n +dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: PAGERS +sudoUser: alice +sudoUser: bob +sudoHost: ALL +sudoCommand: /usr/bin/more +sudoCommand: /usr/bin/pg +sudoCommand: /usr/bin/less +sudoOption: noexec +sudoOrder: 900 -# does not match all but web01 -# rather, matches all hosts including web01 +dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ADMINS +sudoUser: alice +sudoUser: bob +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 100 +.RE +.fi +.PP +In the LDAP version, the sudoOrder attribute is used to guarantee +that the PAGERS sudoRole with +\fInoexec\fR +has precedence. +Unlike the +\fIsudoers\fR +version, the LDAP version requires that all users for whom the restriction +should apply be assigned to the PAGERS sudoRole. +Using a Unix group or netgroup in PAGERS rather than listing each +user would make this easier to maintain. +.PP +Per-user +\fRDefaults\fR +entries can be emulated by using one or more sudoOption attributes +in a sudoRole. +Consider the following +\fIsudoers\fR +lines: +.nf +.sp +.RS 4n +User_Alias ADMINS = john, sally +Defaults:ADMINS !authenticate +ADMINS ALL = (ALL:ALL) ALL +.RE +.fi +.PP +In this example, john and sally are allowed to run any command +as any user or group. +.PP +When converting this to LDAP, we can use a Unix group instead +of the User_Alias. +.nf +.sp +.RS 4n +dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: admins +sudoUser: %admin sudoHost: ALL -sudoHost: !web01 +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOption: !authenticate .RE .fi +.PP +This assumes that users john and sally are members of the +\(Lqadmins\(Rq +Unix group. .SS "Sudoers schema" In order to use \fBsudo\fR's @@ -669,9 +778,9 @@ The default value is protocol version 3. \fBNETGROUP_BASE\fR \fIbase\fR The base DN to use when performing LDAP netgroup queries. Typically this is of the form -\fRou=netgroup,dc=example,dc=com\fR +\fRou=netgroup,dc=my-domain,dc=com\fR for the domain -\fRexample.com\fR. +\fRmy-domain.com\fR. Multiple \fBNETGROUP_BASE\fR lines may be specified, in which case they are queried in the order specified. @@ -822,9 +931,9 @@ The base DN to use when performing \fBsudo\fR LDAP queries. Typically this is of the form -\fRou=SUDOers,dc=example,dc=com\fR +\fRou=SUDOers,dc=my-domain,dc=com\fR for the domain -\fRexample.com\fR. +\fRmy-domain.com\fR. Multiple \fBSUDOERS_BASE\fR lines may be specified, in which case they are queried in the order specified. @@ -1308,7 +1417,7 @@ bind_timelimit 30 timelimit 30 # # Must be set or sudo will ignore LDAP; may be specified multiple times. -sudoers_base ou=SUDOers,dc=example,dc=com +sudoers_base ou=SUDOers,dc=my-domain,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2 @@ -1486,6 +1595,7 @@ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL .RE .fi .SH "SEE ALSO" +cvtsudoers(1), ldap.conf(@mansectform@), sssd-sudo(@mansectform@), sudo.conf(@mansectform@), diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 745322085..bb16bff02 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2003-2017 Todd C. Miller +.\" Copyright (c) 2003-2018 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 21, 2018 +.Dd March 29, 2018 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -72,31 +72,6 @@ Since LDAP updates are atomic, locking is no longer necessary. Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. .El -.Pp -Another major difference between LDAP and file-based -.Em sudoers -is that in LDAP, -.Nm sudo Ns -specific -Aliases are not supported. -.Pp -For the most part, there is really no need for -.Nm sudo Ns -specific -Aliases. -Unix groups, non-Unix groups (via the -.Em group_plugin ) -or user netgroups can be used in place of User_Aliases and Runas_Aliases. -Host netgroups can be used in place of Host_Aliases. -Since groups and netgroups can also be stored in LDAP there is no real need for -.Nm sudo Ns -specific -aliases. -.Pp -Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a -.Li sudoRole . -Instead of defining a Cmnd_Alias that is referenced by multiple users, -one can create a -.Li sudoRole -that contains the commands and assign multiple users to it. .Ss SUDOers LDAP container The .Em sudoers @@ -117,7 +92,7 @@ In the following example, the .Ev SSH_AUTH_SOCK variable will be preserved in the environment for all users. .Bd -literal -offset 4n -dn: cn=defaults,ou=SUDOers,dc=example,dc=com +dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults @@ -166,7 +141,7 @@ entry is preceded by an exclamation point, and the entry matches, the .Li sudoRole in which it resides will be ignored. -Negated +Negated .Li sudoHost entries are only supported by version 1.8.18 or higher. .It Sy sudoCommand @@ -353,7 +328,7 @@ The following example allows users in group wheel to run any command on any host via .Nm sudo : .Bd -literal -offset 4n -dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: %wheel @@ -424,7 +399,24 @@ can significantly speed up .Nm sudo Ns 's execution time. .Ss Differences between LDAP and non-LDAP sudoers -There are some subtle differences in the way sudoers is handled +One of the major differences between LDAP and file-based +.Em sudoers +is that in LDAP, +.Nm sudo Ns -specific +Aliases are not supported. +.Pp +For the most part, there is little need for +.Nm sudo Ns -specific +Aliases. +Unix groups, non-Unix groups (via the +.Em group_plugin ) +or user netgroups can be used in place of User_Aliases and Runas_Aliases. +Host netgroups can be used in place of Host_Aliases. +Since groups and netgroups can also be stored in LDAP there is no real need for +.Nm sudo Ns -specific +aliases. +.Pp +There are also some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are @@ -472,8 +464,8 @@ sudoCommand: !/bin/sh sudoCommand: ALL .Ed .Pp -Another difference is that negations on the Host, User or Runas are -currently ignored. +Another difference is that it is not possible to use negation in a +sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the following attributes do not behave the way one might expect. .Bd -literal -offset 4n # does not match all but joe @@ -484,12 +476,117 @@ sudoUser: !joe # rather, matches everyone including Joe sudoUser: ALL sudoUser: !joe +.Ed +.Ss Converting between file-based and LDAP sudoers +The +.Xr cvtsudoers 1 +utility can be used to convert between file-based and LDAP +.Em sudoers . +However, there are features in the file-based sudoers that have +no equivalent in LDAP-based sudoers (and vice versa). +These cannot be converted automatically. +.Pp +For example, a Cmnd_Alias in a +.Em sudoers +file may be converted to a +.Li sudoRole +that contains multiple commands. +Multiple users and/or groups may be assigned to the +.Li sudoRole . +.Pp +Also, host, user, runas and command-based +.Li Defaults +entries are not supported. +However, a +.Li sudoRole +may contain one or more +.Li sudoOption +attributes which can often serve the same purpose. +.Pp +Consider the following +.Em sudoers +lines: +.Bd -literal -offset 4n +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +Defaults!PAGERS noexec +alice, bob ALL = ALL +.Ed +.Pp +In this example, alice and bob are allowed to run all commands, but +the commands listed in PAGERS will have the noexec flag set, +preventing shell escapes. +.Pp +When converting this to LDAP, two sudoRole objects can be used: +.Bd -literal -offset 4n +dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: PAGERS +sudoUser: alice +sudoUser: bob +sudoHost: ALL +sudoCommand: /usr/bin/more +sudoCommand: /usr/bin/pg +sudoCommand: /usr/bin/less +sudoOption: noexec +sudoOrder: 900 -# does not match all but web01 -# rather, matches all hosts including web01 +dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ADMINS +sudoUser: alice +sudoUser: bob +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 100 +.Ed +.Pp +In the LDAP version, the sudoOrder attribute is used to guarantee +that the PAGERS sudoRole with +.Em noexec +has precedence. +Unlike the +.Em sudoers +version, the LDAP version requires that all users for whom the restriction +should apply be assigned to the PAGERS sudoRole. +Using a Unix group or netgroup in PAGERS rather than listing each +user would make this easier to maintain. +.Pp +Per-user +.Li Defaults +entries can be emulated by using one or more sudoOption attributes +in a sudoRole. +Consider the following +.Em sudoers +lines: +.Bd -literal -offset 4n +User_Alias ADMINS = john, sally +Defaults:ADMINS !authenticate +ADMINS ALL = (ALL:ALL) ALL +.Ed +.Pp +In this example, john and sally are allowed to run any command +as any user or group. +.Pp +When converting this to LDAP, we can use a Unix group instead +of the User_Alias. +.Bd -literal -offset 4n +dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: admins +sudoUser: %admin sudoHost: ALL -sudoHost: !web01 +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOption: !authenticate .Ed +.Pp +This assumes that users john and sally are members of the +.Dq admins +Unix group. .Ss Sudoers schema In order to use .Nm sudo Ns 's @@ -629,9 +726,9 @@ The default value is protocol version 3. .It Sy NETGROUP_BASE Ar base The base DN to use when performing LDAP netgroup queries. Typically this is of the form -.Li ou=netgroup,dc=example,dc=com +.Li ou=netgroup,dc=my-domain,dc=com for the domain -.Li example.com . +.Li my-domain.com . Multiple .Sy NETGROUP_BASE lines may be specified, in which case they are queried in the order specified. @@ -768,9 +865,9 @@ The base DN to use when performing .Nm sudo LDAP queries. Typically this is of the form -.Li ou=SUDOers,dc=example,dc=com +.Li ou=SUDOers,dc=my-domain,dc=com for the domain -.Li example.com . +.Li my-domain.com . Multiple .Sy SUDOERS_BASE lines may be specified, in which case they are queried in the order specified. @@ -1188,7 +1285,7 @@ bind_timelimit 30 timelimit 30 # # Must be set or sudo will ignore LDAP; may be specified multiple times. -sudoers_base ou=SUDOers,dc=example,dc=com +sudoers_base ou=SUDOers,dc=my-domain,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2 @@ -1362,6 +1459,7 @@ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL ) .Ed .Sh SEE ALSO +.Xr cvtsudoers 1 , .Xr ldap.conf @mansectform@ , .Xr sssd-sudo @mansectform@ , .Xr sudo.conf @mansectform@ , -- 2.40.0