[Cooker] To those using sudo with ldap

[Andreas Hasenack]

I'm trying to come up with some ACLs for the ou=sudoers branch. I don't
like very much to have ou=sudoers readable by anonymous users, it's like
having /etc/sudoers mode 0644.

Sudo supports using authenticated searches via its configuration file. I
tested this and it works just nice: sudo -l works and this user can't
read other user's sudo commands. And if we make the sudo ldap
configuration file mode 0600 root:root, then the clear text password
won't be sitting there for all to see without some hacking (easy
hacking, but we can only do so much). Sudo can still read it, because
it's suid root.

The problem is that sudo's default ldap configuration file is our well
known /etc/ldap.conf, already shared between nss_ldap and pam_ldap.
Furthermore, we can't make this file mode 0600. Also, the sudo option to
use authenticated searches is the same as nss_ldap's one, so it
automatically forces nss_ldap to also do authenticated searches and with
the same credentials.

Sudo has an option to change the configuration file it's going to use.
It's enabled at compile time. For my tests, I used /etc/sudo-ldap.conf,
mode 0600, root:root. This works.

Some cons I can think of are:
- changes a default configuration filename: what about an upgrade plan?
  (but how many users are actually using sudo+ldap?)
- not that much added security, because if the user has physical access
  to the machine he/she can get root, read that file and get the clear
  text password. But what would this user gain? The ability to read
  other user's sudo permissions, nothing else. And anonymous searches
  would still be blocked.

So, what do you think? Is it worth the trouble?

Attachment: pgp00039.pgp
Description: PGP signature