1

I'm trying to translate this sudoers file into LDAP:

Defaults env_reset, env_keep="LESSSECURE SSH_CLIENT", !authenticate, noexec, requiretty, secure_path=/usr/local/bin:/usr/bin:/usr/sbin

Cmnd_Alias DNS = /usr/local/bin/dnsmanager
Cmnd_Alias LOGS = /usr/bin/tail /var/log/named.log, /usr/bin/less /var/log/named.log
admin ALL = (root) EXEC: DNS, LOGS

Where I'm having trouble is the noexec default, and then applying EXEC to a specific command.

Here's what my LDIF looks like:

dn: cn=defaults,ou=sudoers,dc=r1,dc=internal
cn: defaults
objectClass: sudoRole
sudoOption: env_keep+="SSH_CLIENT LESSSECURE"
sudoOption: !authenticate
sudoOption: noexec
sudoOption: secure_path=/usr/local/bin:/usr/bin:/usr/sbin

dn: cn=%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: %operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoCommand: /usr/bin/less /var/log/named.log
sudoCommand: /usr/bin/tail /var/log/named.log
sudoCommand: EXEC:/usr/local/bin/dnsmanager

But users are unable to execute the dnsmanager command. If they run sudo -l they see it listed, but it looks like this:

User jsmith may run the following commands on bmo:
    (root) /usr/bin/less /var/log/named.log, /usr/bin/tail /var/log/named.log,
        EXEC\:/usr/local/bin/nsmanager

How can I avoid the colon being mangled so I can set the EXEC flag on the commands I want to?

miken32
  • 942
  • 1
  • 13
  • 35
  • Hmm, well this wasn't possible [in 2004](https://www.sudo.ws/pipermail/sudo-users/2004-May/002024.html) at least. "Looks like for this next to map perfectly, I will have to add some code. Let me get back to you on the last part." Wonder if Aaron ever got to that code? – miken32 Nov 07 '22 at 22:39
  • I did try running `cvtsudoers` and its solution was to set `sudoOption: !noexec` on whole role. This defeats the whole purpose of the default, so is not an acceptable solution. – miken32 Nov 07 '22 at 22:54

1 Answers1

0

Well I've ended up with 2 separate role objects for each group/host combo, one of which has the !noexec option. Made my management script quite a bit more complicated but it seems to do the trick.

dn: cn=defaults,ou=sudoers,dc=r1,dc=internal
cn: defaults
objectClass: sudoRole
sudoOption: env_keep+="SSH_CLIENT LESSSECURE"
sudoOption: !authenticate
sudoOption: noexec
sudoOption: secure_path=/usr/local/bin:/usr/bin:/usr/sbin

dn: cn=%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: %operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoCommand: /usr/bin/less /var/log/named.log
sudoCommand: /usr/bin/tail /var/log/named.log

dn: cn=exec:%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: exec:%operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoOption: !noexec
sudoCommand: /usr/local/bin/dnsmanager
miken32
  • 942
  • 1
  • 13
  • 35