[Bug 1688034] Re: 1.8.16-0ubuntu1.3 update breaks sudo with freeipa-client / sssd

Brian Candler 1688034 at bugs.launchpad.net
Fri May 5 13:15:40 UTC 2017 

I found out how to enable debugging for sudoers:

Debug sudo /var/log/sudo-debug all at info
Debug sudoers.so /var/log/sudoers-debug all at info

With the *new* sudo I get the following logged matching 'sssd':

May  5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH!
May  5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler)
May  5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_administrators' ... not (brian.candler)

But with the *old* sudo I get:

May  5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH!
May  5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May  5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH!

It seems to be a behaviour change with group checking.

The 'brian.candler' user *is* a member of one of those groups in IPA;
but those groups are not posix groups so they are not visible using
(e.g.) "id"

I was able to solve the problem by adding

objectClass: posixgroup
gidNumber: NNNNNNNN

to those group objects.  After this, the sudoers log shows:

May  5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH!
May  5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler)
May  5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_administrators' ... MATCH! (brian.candler)
May  5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May  5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH!

So: arguably this is not a bug, but a bug fix.  Still, it would be nice
if the release notes explained the potential for regression.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1688034

Title:
  1.8.16-0ubuntu1.3 update breaks sudo with freeipa-client / sssd

Status in sudo package in Ubuntu:
  New

Bug description:
  ubuntu 16.04, enrolled with freeipa-client to FreeIPA 4.4.0 (under
  CentOS 7)

  With sudo 1.8.16-0ubuntu1, everything is fine:

  brian.candler at api-dev:~$ sudo -s
  [sudo] password for brian.candler:
  root at api-dev:~#

  After update to 1.8.16-0ubuntu1.3, it no longer works:

  brian.candler at api-dev:~$ sudo -k
  brian.candler at api-dev:~$ sudo -s
  [sudo] password for brian.candler:
  brian.candler is not allowed to run sudo on api-dev.int.example.com.  This incident will be reported.

  This is repeatable: downgrade sudo and it works again.

  Seems very likely related to change made as part of #1607666, which
  changes how sudo policies are matched, but has unexpected regression.

  --- Additional info ---

  The sudo policy in IPA is extremely simple. It has a single rule,
  which says:

  - applies to users in groups "system_administrators" and "security_administrators"
  - applies to any host
  - applies to any command

  In LDAP under ou=sudoers tree, the groups are flattened out:

  # system administrators on all hosts, sudoers, ipa.example.com
  dn: cn=system administrators on all hosts,ou=sudoers,dc=ipa,dc=example,dc=com
  sudoRunAsGroup: ALL
  objectClass: sudoRole
  objectClass: top
  sudoUser: brian.candler
  sudoUser: ...
  sudoUser: ... list more users
  sudoUser: ...
  sudoRunAsUser: ALL
  sudoCommand: ALL
  sudoHost: ALL
  cn: system administrators on all hosts

  Under cn=sudorules,cn=sudo it refers to the groups rather than the
  individuals:

  # 59ffb10a-9c61-11e6-b5b8-00163efd5284, sudorules, sudo, ipa.example.com
  dn: ipaUniqueID=59ffb10a-9c61-11e6-b5b8-00163efd5284,cn=sudorules,cn=sudo,dc=ipa,dc=example,dc=com
  ipaSudoRunAsUserCategory: all
  ipaSudoRunAsGroupCategory: all
  description: admins have full sudo access on any host they can ssh into
  cmdCategory: all
  hostCategory: all
  memberUser: cn=system_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
  memberUser: cn=security_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
  objectClass: ipasudorule
  objectClass: ipaassociation
  ipaEnabledFlag: TRUE
  cn: system administrators on all hosts
  ipaUniqueID: 59ffb10a-9c61-11e6-b5b8-00163efd5284

  I have no workaround other than downgrade.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: sudo 1.8.16-0ubuntu1.3
  ProcVersionSignature: Ubuntu 4.4.0-1016.25-aws 4.4.59
  Uname: Linux 4.4.0-1016-aws x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Wed May  3 16:01:23 2017
  Ec2AMI: ami-a8d2d7ce
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: eu-west-1a
  Ec2InstanceType: t2.small
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/90-cloud-init-users: parsed OK
   /etc/sudoers.d/README: parsed OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/+subscriptions

More information about the foundations-bugs mailing list