AIXTOOLS, IBM AIX and POWER Portal

AIX => AIXTOOLS => Topic started by: roxyland on October 28, 2020, 07:52:03 AM

Title: sudo with ldap support
Post by: roxyland on October 28, 2020, 07:52:03 AM
Hi,

The download link on http://www.aixtools.net/index.php/sudo
http://download.aixtools.net/tools/aixtools.sudo-ldap.1.8.31.0.I
seems to be broken.

Was hoping to get a sudo package that support LDAP.
Thanks
Title: Re: sudo with ldap support
Post by: roxyland on October 28, 2020, 08:12:18 AM
sorry I was able to download from that link. Must have been trying an older verion earlier.

Anyway, I've installed it, but the ownership on the installed files cause errors:

sudo: /opt/bin/sudo must be owned by uid 0 and have the setuid bit set                                                                      sudo: /opt/libexec/sudo/sudoers.so must be owned by uid 0                                                                                                            sudo: fatal error, unable to load plugins

They are owned by bin:bin. It also changes ownership of /etc /var and sub-directories to bin:bin
Title: Re: sudo with ldap support
Post by: Michael on October 28, 2020, 02:36:43 PM
I'll look into it. Not done much with sudo lately.
My normal packaging process sets all packages to bin.bin - I'll modify the install.config script to do some chown root.bin for /opt/bin/sudo.
What I had been working on, but never got any feedback from sudo project - was to use RBAC to elevate privilege. Effect is the same, but you had the added 'onion' skin, that you needed to have the authentication 'sudo' to execute sudo - at all.
Don't think I'll get to it today - but quick!
Michael
Title: Re: sudo with ldap support
Post by: Michael on November 01, 2020, 01:35:49 PM
Thanks for the heads-up. I have repackaged sudo-1.8.31 - with LDAP support - and the correct config scripts to make sure the files that need to be owned by root - are owned by root.bin.
Note: I do not use root.system on purpose. I want accounts to have more privilege required that merely being a member of group system.
All feedback is welcome!