-Copyright (c) 2003-2010
+Copyright (c) 2003-2011
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
For the most part, there is really no need for B<sudo>-specific
Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and RunasAliases. Host netgroups can be used in place
-of HostAliases. Since Unix groups and netgroups can also be stored
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
in LDAP there is no real need for B<sudo>-specific aliases.
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a sudoRole. Instead of defining
+to have multiple users listed in a C<sudoRole>. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
-a sudoRole that contains the commands and assign multiple users
+a C<sudoRole> that contains the commands and assign multiple users
to it.
=head2 SUDOers LDAP container
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
-the following components:
+the following attributes:
=over 4
run as.
The special value C<ALL> will match any user.
+The C<sudoRunAsUser> attribute is only available in B<sudo> versions
+1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
+attribute instead.
+
=item B<sudoRunAsGroup>
A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
The special value C<ALL> will match any group.
+The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
+1.7.0 and higher.
+
+=item B<sudoNotBefore>
+
+A timestamp in the form C<yyyymmddHHMMZ> that can be used to provide
+a start date/time for when the C<sudoRole> will be valid. If
+multiple C<sudoNotBefore> entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotBefore> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
+
+=item B<sudoNotAfter>
+
+A timestamp in the form C<yyyymmddHHMMZ> that indicates an expiration
+date/time, after which the C<sudoRole> will no longer be valid. If
+multiple C<sudoNotBefore> entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotAfter> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
+
+=item B<sudoOrder>
+
+The C<sudoRole> entries retrieved from the LDAP directory have no
+inherent order. The C<sudoOrder> attribute is an integer (or
+floating point value for LDAP servers that support it) that is used
+to sort the matching entries. This allows LDAP-based sudoers entries
+to more closely mimic the behaviour of the sudoers file, where the
+of the entries influences the result. If multiple entries match,
+the entry with the highest C<sudoOrder> attribute is chosen. This
+corresponds to the "last match" behavior of the sudoers file. If
+the C<sudoOrder> attribute is not present, a value of 0 is assumed.
+
+The C<sudoOrder> attribute is only available in B<sudo> versions
+1.7.5 and higher.
+
=back
-Each component listed above should contain a single value, but there
-may be multiple instances of each component type. A sudoRole must
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A C<sudoRole> must
contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
The following example allows users in group wheel to run any command
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
+If timed entries are enabled with the B<SUDOERS_TIMED> configuration
+directive, the LDAP queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any.
+
=head2 Differences between LDAP and non-LDAP sudoers
There are some subtle differences in the way sudoers is handled
once in LDAP. Probably the biggest is that according to the RFC,
LDAP ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order. If there are
-conflicting command rules on an entry, the negative takes precedence.
+and Entries are returned in any specific order.
+
+The order in which different entries are applied can be controlled
+using the C<sudoOrder> attribute, but there is no way to guarantee
+the order of attributes within a specific entry. If there are
+conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
-currently ignorred. For example, the following attributes do not
+currently ignored. For example, the following attributes do not
behave the way one might expect.
# does not match all but joe
values specified in F</etc/openldap/ldap.conf> or the user's
F<.ldaprc> files are not used.
-Only those options explicitly listed in F<@ldap_conf@> that are
+Only those options explicitly listed in F<@ldap_conf@> as being
supported by B<sudo> are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
B<HOST>s are specified, this is the amount of time to wait before trying
the next one in the list.
+=item B<NETWORK_TIMEOUT> seconds
+
+An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
+
=item B<TIMELIMIT> seconds
The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
+=item B<TIMEOUT> seconds
+
+The B<TIMEOUT> parameter specifies the amount of time, in seconds,
+to wait for a response from the various LDAP APIs.
+
=item B<SUDOERS_BASE> base
The base DN to use when performing B<sudo> LDAP queries. Typically
C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
in which case they are queried in the order specified.
+=item B<SUDOERS_SEARCH_FILTER> ldap_filter
+
+An LDAP filter which is used to restrict the set of records returned
+when performing a B<sudo> LDAP query. Typically, this is of the
+form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
+
+=item B<SUDOERS_TIMED> on/true/yes/off/false/no
+
+Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
+attributes that implement time-dependent sudoers entries.
+
=item B<SUDOERS_DEBUG> debug_level
This sets the debug level for B<sudo> LDAP queries. Debugging
=item B<TLS_CACERT> file name
-An alias for B<TLS_CACERTFILE>.
+An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
=item B<TLS_CACERTFILE> file name
# verbose sudoers matching from ldap
#sudoers_debug 2
#
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
+ #
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
=head2 Sudo schema for OpenLDAP
-The following schema is in OpenLDAP format. Simply copy it to the
-schema directory (e.g. F</etc/openldap/schema>), add the proper
-C<include> line in C<slapd.conf> and restart B<slapd>.
+The following schema, in OpenLDAP format, is included with B<sudo>
+source and binary distributions as F<schema.OpenLDAP>. Simply copy
+it to the schema directory (e.g. F</etc/openldap/schema>), add the
+proper C<include> line in C<slapd.conf> and restart B<slapd>.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ description )
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
)
=head1 SEE ALSO
=head1 CAVEATS
-The way that I<sudoers> is parsed differs between Note that there
-are differences in the way that LDAP-based I<sudoers> is parsed
-compared to file-based I<sudoers>. See the L<Differences between
-LDAP and non-LDAP sudoers> section for more information.
+Note that there are differences in the way that LDAP-based I<sudoers>
+is parsed compared to file-based I<sudoers>. See the L<Differences
+between LDAP and non-LDAP sudoers> section for more information.
=head1 BUGS
projects / debian / sudo / blobdiff