mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses TLS_CACERT,

Browse Source 
not TLS_CACERTFILE in its ldap.conf.  Other LDAP client code, such as
nss_ldap, uses TLS_CACERTFILE.  Also document why you should avoid
disabling TLS_CHECKPEER is possible.
This commit is contained in:
Todd C. Miller
2010-07-08 09:02:03 -04:00
parent 5b1420b6d4
commit 432d27573d
4 changed files with 113 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
doc/sudoers.ldap.cat
View File

@@ -9,7 +9,7 @@ NNAAMMEE
DDEESSCCRRIIPPTTIIOONN
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
large, distributed environment.
Using LDAP for _s_u_d_o_e_r_s has several benefits:
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.8.0b1 June 15, 2010 1
1.8.0b1 July 8, 2010 1
@@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.8.0b1 June 15, 2010 2
1.8.0b1 July 8, 2010 2
@@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.8.0b1 June 15, 2010 3
1.8.0b1 July 8, 2010 3
@@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.8.0b1 June 15, 2010 4
1.8.0b1 July 8, 2010 4
@@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.8.0b1 June 15, 2010 5
1.8.0b1 July 8, 2010 5
@@ -366,19 +366,40 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
certificate authority), ssuuddoo will be unable to connect to it. If
TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made.
TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling
the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it
can be verified.
TTLLSS__CCAACCEERRTT file name
An alias for TTLLSS__CCAACCEERRTTFFIILLEE.
TTLLSS__CCAACCEERRTTFFIILLEE file name
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
supported by the OpenLDAP libraries.
supported by the OpenLDAP libraries. Netscape-derived LDAP
libraries use the same certificate database for CA and client
certificates (see TTLLSS__CCEERRTT).
TTLLSS__CCAACCEERRTTDDIIRR directory
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
1.8.0b1 July 8, 2010 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
OpenLDAP libraries.
TTLLSS__CCEERRTT file name
@@ -389,17 +410,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
1.8.0b1 June 15, 2010 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
Netscape-derived:
tls_cert /var/ldap/cert7.db
@@ -444,6 +454,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
1.8.0b1 July 8, 2010 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SSAASSLL__SSEECCPPRROOPPSS none/properties
SASL security properties or _n_o_n_e for no properties. See the SASL
programmer's manual for details.
@@ -454,18 +476,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
See the ldap.conf entry in the EXAMPLES section.
1.8.0b1 June 15, 2010 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
Unless it is disabled at build time, ssuuddoo consults the Name Service
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
@@ -510,6 +520,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoers = ldap, files
1.8.0b1 July 8, 2010 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
The local _s_u_d_o_e_r_s file can be ignored completely by using:
sudoers = ldap
@@ -520,18 +542,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
1.8.0b1 June 15, 2010 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
@@ -576,6 +586,18 @@ EEXXAAMMPPLLEESS
#sudoers_debug 2
#
# optional proxy credentials
1.8.0b1 July 8, 2010 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#binddn <who to search as>
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
@@ -586,18 +608,6 @@ EEXXAAMMPPLLEESS
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
1.8.0b1 June 15, 2010 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
@@ -642,6 +652,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#tls_key /etc/certs/client_key.pem
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1.8.0b1 July 8, 2010 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# a directory, in which case the files in the directory must have the
# default names (e.g. cert8.db and key4.db), or the path to the cert
# and key files themselves. However, a bug in version 5.0 of the LDAP
@@ -652,18 +674,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
1.8.0b1 June 15, 2010 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
@@ -708,6 +718,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
1.8.0b1 July 8, 2010 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
@@ -719,18 +741,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1.8.0b1 June 15, 2010 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
@@ -777,16 +787,6 @@ DDIISSCCLLAAIIMMEERR
1.8.0b1 June 15, 2010 12
1.8.0b1 July 8, 2010 12

14
doc/sudoers.ldap.man.in
View File

@@ -140,7 +140,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "June 15, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.TH SUDOERS.LDAP @mansectform@ "July 8, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -150,7 +150,7 @@ sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
@@ -453,13 +453,21 @@ If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1T
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
is disabled, no check is made.
is disabled, no check is made. Note that disabling the check creates
an opportunity for man-in-the-middle attacks since the server's
identity will not be authenticated. If possible, the \s-1CA\s0's certificate
should be installed locally so it can be verified.
.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
.IX Item "TLS_CACERT file name"
An alias for \fB\s-1TLS_CACERTFILE\s0\fR.
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
.IX Item "TLS_CACERTFILE file name"
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
Netscape-derived \s-1LDAP\s0 libraries use the same certificate
database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
.IX Item "TLS_CACERTDIR directory"
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a

11
doc/sudoers.ldap.pod
View File

@@ -361,7 +361,14 @@ If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
is disabled, no check is made.
is disabled, no check is made. Note that disabling the check creates
an opportunity for man-in-the-middle attacks since the server's
identity will not be authenticated. If possible, the CA's certificate
should be installed locally so it can be verified.
=item B<TLS_CACERT> file name
An alias for B<TLS_CACERTFILE>.
=item B<TLS_CACERTFILE> file name
@@ -369,6 +376,8 @@ The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. F</etc/ssl/ca-bundle.pem>.
This option is only supported by the OpenLDAP libraries.
Netscape-derived LDAP libraries use the same certificate
database for CA and client certificates (see B<TLS_CERT>).
=item B<TLS_CACERTDIR> directory

2
plugins/sudoers/ldap.c
View File

@@ -183,6 +183,8 @@ static struct ldap_config_table ldap_conf_table[] = {
#ifdef LDAP_OPT_X_TLS_CACERTFILE
{ "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
&ldap_conf.tls_cacertfile },
{ "tls_cacert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
&ldap_conf.tls_cacertfile },
#endif
#ifdef LDAP_OPT_X_TLS_CACERTDIR
{ "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,