[Bug 1591137] Re: sudo ignores shortname aliases in sudoers file

Martin Fox 1591137 at bugs.launchpad.net
Mon Mar 6 20:16:32 UTC 2017 

We are experiencing the same symptoms with sudo (v1.8.16) as have been previously reported in this bug.
 
On an Ubuntu 16.04 system short hostnames don't work in the sudoers file when the 'fqdn' option is true (as it is by default). The documentation indicates that the short form should still work with the fqdn option set.
 
Steps to reproduce:
 
On a system called 'ubuntu1604.example.com', put the following into sudoers:
 
%john ubuntu1604=(root) NOPASSWD: /bin/true
%john ubuntu1604.example.com=(root) NOPASSWD: /bin/false
 
Expected outcome:
 
sudo -l shows user 'john' is allowed to run:
 
    (root) /bin/true
    (root) /bin/false
 
Actual outcome:
 
sudo -l shows user 'john' is allowed to run:
 
    (root) /bin/false
 
sudo -l -U john -h ubuntu1604 shows user 'john' is allowed to run:
 
    (root) /bin/false
 
sudo -l -U test -h ubuntu1604.example.com shows user 'john' is allowed to run:
 
    (root) /bin/true
    (root) /bin/false


------
Sudo version 1.8.16
Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/var/run/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit
Sudoers policy plugin version 1.8.16

---------

root at bs-ubuntu1604:~# uname -a
Linux bs-ubuntu1604 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

---------

root at bs-ubuntu1604:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	bs-ubuntu1604.ethz.ch	bs-ubuntu1604

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root at bs-ubuntu1604:~# hostname
bs-ubuntu1604

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1591137

Title:
  sudo ignores shortname aliases in sudoers file

Status in sudo package in Ubuntu:
  Confirmed

Bug description:
  Our sudoers file contains host aliases which all work fine on versions
  of Ubuntu < 16.04.

  On 16.04, it has become necessary to include the FQDN of the machine
  in order for sudo permissions to be granted. I have reproduced this
  problem on two cleanly-installed servers.

  
  i.e.

  This entry in /etc/sudoers does not work for members of sudo group:-

  %sudo   ourserver

  This entry in /etc/sudoers does work for members of sudo group:-

  %sudo   ourserver.our.domain

  
  Extra information which may be of interest:

  'hostname' returns the shortname on both Ub1604 and Ub1404
  installations

  
  /etc/hosts lists machines by fqdn and then shortname on both platforms, i.e.

  ip.ad.dr.es    ourserver.our.domain   ourserver

  
  /etc/resolv.conf is set to search our.domain, same on both platforms

  
  sudo package version is 1.8.16-0ubuntu1.1

  
  Bw
  John

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1591137/+subscriptions

More information about the foundations-bugs mailing list