我正在尝试将此sudoers文件转换为 LDAP:
Defaults env_reset, env_keep="LESSSECURE SSH_CLIENT", !authenticate, noexec, requiretty, secure_path=/usr/local/bin:/usr/bin:/usr/sbin
Cmnd_Alias DNS = /usr/local/bin/dnsmanager
Cmnd_Alias LOGS = /usr/bin/tail /var/log/named.log, /usr/bin/less /var/log/named.log
admin ALL = (root) EXEC: DNS, LOGS
我遇到麻烦的地方是noexec默认设置,然后应用于EXEC特定命令。
我的 LDIF 如下所示:
dn: cn=defaults,ou=sudoers,dc=r1,dc=internal
cn: defaults
objectClass: sudoRole
sudoOption: env_keep+="SSH_CLIENT LESSSECURE"
sudoOption: !authenticate
sudoOption: noexec
sudoOption: secure_path=/usr/local/bin:/usr/bin:/usr/sbin
dn: cn=%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: %operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoCommand: /usr/bin/less /var/log/named.log
sudoCommand: /usr/bin/tail /var/log/named.log
sudoCommand: EXEC:/usr/local/bin/dnsmanager
但用户无法执行该dnsmanager命令。如果他们运行,sudo -l他们会看到它被列出,但它看起来像这样:
User jsmith may run the following commands on bmo:
(root) /usr/bin/less /var/log/named.log, /usr/bin/tail /var/log/named.log,
EXEC\:/usr/local/bin/nsmanager
我怎样才能避免冒号被破坏,以便我可以在我想要的命令上设置 EXEC 标志?
答案1
好吧,我最终为每个组/主机组合设置了 2 个单独的角色对象,其中一个有选项!noexec。这使我的管理脚本变得相当复杂,但它似乎起了作用。
dn: cn=defaults,ou=sudoers,dc=r1,dc=internal
cn: defaults
objectClass: sudoRole
sudoOption: env_keep+="SSH_CLIENT LESSSECURE"
sudoOption: !authenticate
sudoOption: noexec
sudoOption: secure_path=/usr/local/bin:/usr/bin:/usr/sbin
dn: cn=%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: %operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoCommand: /usr/bin/less /var/log/named.log
sudoCommand: /usr/bin/tail /var/log/named.log
dn: cn=exec:%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: exec:%operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoOption: !noexec
sudoCommand: /usr/local/bin/dnsmanager