-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-9.0.0
-
None
-
None
-
rhel-idm-sssd
-
ssg_security
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
-
0
Description of problem:
Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP.
Version-Release number of selected component (if applicable):
tested and failed on all RHEL8 and RHEL9
How reproducible:
Everytime
Steps to Reproduce:
1. setup sudo to use sssd, using this ldap data:
- my-domain.com
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: Test server
- Groups, my-domain.com
dn: ou=Groups,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
- People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
- admin, People, my-domain.com
dn: cn=admin,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: admin
uidNumber: 11001
gidNumber: 21001
homeDirectory: /home/admin
loginShell: /bin/bash
uid: admin
userPassword:: eA==
- admin, Groups, my-domain.com
dn: cn=admin,ou=Groups,dc=my-domain,dc=com
gidNumber: 21001
objectClass: top
objectClass: posixGroup
cn: 21001
cn: admin
- userallowed, People, my-domain.com
dn: cn=userallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: userallowed
uidNumber: 10001
gidNumber: 20001
homeDirectory: /home/userallowed
loginShell: /bin/bash
uid: userallowed
userPassword:: eA==
- groupallowed, Groups, my-domain.com
dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20001
objectClass: top
objectClass: posixGroup
cn: groupallowed
- usernotallowed, People, my-domain.com
dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: usernotallowed
uidNumber: 10002
gidNumber: 20002
homeDirectory: /home/usernotallowed
loginShell: /bin/bash
uid: usernotallowed
userPassword:: eA==
- groupnotallowed, Groups, my-domain.com
dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20002
objectClass: top
objectClass: posixGroup
cn: groupnotallowed
- Sudoers, my-domain.com
dn: ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers
- defaults, Sudoers, my-domain.com
dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !authenticate
sudoOption: !requiretty
2. add one of the following rules to the ldap data:
a) in order to test sudoHost with IPV6, add this rule:
- rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008
b) in order to test sudoHost with IPV6 with mask, add this rule:
- rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: FD6D:8D64:AF0C::/72
c) in order to test sudoHost with IPV4 with mask, add this rule:
- rule_allow, Sudoers, my-domain.com
dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoCommand: ALL
sudoUser: ALL
sudoHost: 192.168.10.0/26
3. check it with following command:
$ su - userallowed -c 'sudo true'
Actual results:
Gets generic error - exit status 1
Expected results:
userallowed is allowed to run sudo on this host - exit status 0
Additional info:
