Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1365

GID in SudoUser entry does not work via SSSD provider [rhel-10]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rhel-idm-sssd
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 0

      Description of problem:
      Sudo rule option SudoUser with group ID does not work via SSSD provider. But it works via LDAP.

      Version-Release number of selected component (if applicable):
      tested and failed on all RHEL8 and RHEL9

      How reproducible:
      Everytime

      Steps to Reproduce:
      1. setup sudo to use sssd, using this ldap data:

      1. my-domain.com
        dn: dc=my-domain,dc=com
        objectClass: dcObject
        objectClass: organization
        dc: my-domain
        o: Test server
      1. Groups, my-domain.com
        dn: ou=Groups,dc=my-domain,dc=com
        objectClass: top
        objectClass: organizationalunit
        ou: Groups
      1. People, my-domain.com
        dn: ou=People,dc=my-domain,dc=com
        objectClass: top
        objectClass: organizationalunit
        ou: People
      1. admin, People, my-domain.com
        dn: cn=admin,ou=People,dc=my-domain,dc=com
        objectClass: top
        objectClass: account
        objectClass: posixAccount
        cn: admin
        uidNumber: 11001
        gidNumber: 21001
        homeDirectory: /home/admin
        loginShell: /bin/bash
        uid: admin
        userPassword:: eA==
      1. admin, Groups, my-domain.com
        dn: cn=admin,ou=Groups,dc=my-domain,dc=com
        gidNumber: 21001
        objectClass: top
        objectClass: posixGroup
        cn: 21001
        cn: admin
      1. userallowed, People, my-domain.com
        dn: cn=userallowed,ou=People,dc=my-domain,dc=com
        objectClass: top
        objectClass: account
        objectClass: posixAccount
        cn: userallowed
        uidNumber: 10001
        gidNumber: 20001
        homeDirectory: /home/userallowed
        loginShell: /bin/bash
        uid: userallowed
        userPassword:: eA==
      1. groupallowed, Groups, my-domain.com
        dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com
        gidNumber: 20001
        objectClass: top
        objectClass: posixGroup
        cn: groupallowed
      1. usernotallowed, People, my-domain.com
        dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com
        objectClass: top
        objectClass: account
        objectClass: posixAccount
        cn: usernotallowed
        uidNumber: 10002
        gidNumber: 20002
        homeDirectory: /home/usernotallowed
        loginShell: /bin/bash
        uid: usernotallowed
        userPassword:: eA==
      1. groupnotallowed, Groups, my-domain.com
        dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com
        gidNumber: 20002
        objectClass: top
        objectClass: posixGroup
        cn: groupnotallowed
      1. Sudoers, my-domain.com
        dn: ou=Sudoers,dc=my-domain,dc=com
        objectClass: top
        objectClass: organizationalUnit
        ou: Sudoers
      1. defaults, Sudoers, my-domain.com
        dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
        objectClass: top
        objectClass: sudoRole
        cn: defaults
        sudoOption: !authenticate
        sudoOption: !requiretty
      1. rule1, Sudoers, my-domain.com
        dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
        objectClass: top
        objectClass: sudoRole
        cn: rule1
        sudoHost: ALL
        sudoCommand: ALL
        sudoUser: %#20001

      2. check it with following command:

      $ su - userallowed -c 'sudo true'

      Actual results:
      Gets generic error - exit status 1

      Expected results:
      userallowed is in the sudoers file - exit status 0

      Additional info:

              rh-ee-allopez Alejandro Lopez
              nbubakov Natália Bubáková
              Alejandro Lopez Alejandro Lopez
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: