On 07/28/2011 06:58 PM, arun scaria wrote:
On Thu, Jul 28, 2011 at 2:10 PM, Gowrishankar Rajaiyan <gsr(a)redhat.com
<mailto:gsr@redhat.com>> wrote:
On 07/28/2011 07:22 AM, arun scaria wrote:
> Hi all,
> I'v created my write-up on SUDO responder/cache behavior at
>
https://fedorahosted.org/sssd/wiki/DesignDocs/SudoSupport/SudoResponderCa....
> I'd love to hear your opinion on it. Please take a review and
comment.
>
One question:
How do we plan to include "sudoOption=!authenticate" (where
!authenticate=NOPASSWD) in a sudorule during offline?
The option !authenticate is not specified anywhere in the standard sudo
schema at
http://www.gratisoft.us/sudo/man/1.8.1/sudoers.ldap.man.html.
If you use "sudoers2ldif" tool provided by the sudo package to convert
an existing /etc/sudoers file to an ldif format, the "!authenticate"
value is used.
/usr/share/doc/sudo-1.7.4p5/sudoers2ldif:
<snip>
# if NOPASSWD: directive found, mark entire entry as not requiring
s/NOPASSWD:\s*// && push @options,"!authenticate";
s/PASSWD:\s*// && push @options,"authenticate";
</snip>
But this option is found in all the blogs and tutorials as the
alternative to the NOPASSWD option in the sudoers file. In the current
implementation of sudo plugin we are doing the pam authentication with
sudo pam config file. This is done before we query the sssd for
authentication for sudo. So that the user will be requested password
even if the !authenticate sudoOption is enabled.
IMO expecting a password for a runasuser from a sudorule where
sudoOption is set to !authenticate is not an expected behaviour.