Ubuntu
sudo package

sudo ignores shortname aliases in sudoers file

Bug #1591137 reported by J S Halfpenny
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Our sudoers file contains host aliases which all work fine on versions of Ubuntu < 16.04.

On 16.04, it has become necessary to include the FQDN of the machine in order for sudo permissions to be granted. I have reproduced this problem on two cleanly-installed servers.

i.e.

This entry in /etc/sudoers does not work for members of sudo group:-

%sudo ourserver

This entry in /etc/sudoers does work for members of sudo group:-

%sudo ourserver.our.domain

Extra information which may be of interest:

'hostname' returns the shortname on both Ub1604 and Ub1404 installations

/etc/hosts lists machines by fqdn and then shortname on both platforms, i.e.

ip.ad.dr.es ourserver.our.domain ourserver

/etc/resolv.conf is set to search our.domain, same on both platforms

sudo package version is 1.8.16-0ubuntu1.1

Bw
John

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Will Aoki (waoki) wrote :

I ran across this problem and reported it upstream as https://bugzilla.sudo.ws/show_bug.cgi?id=757

It appeared between 1.8.10 and 1.8.15.

Revision history for this message
Will Aoki (waoki) wrote :

Upstream fixed it less than an hour after it was reported (and that on a Friday afternoon!):

https://www.sudo.ws/repos/sudo/rev/605c03afc80f

Any chance of an update to 16.04?

Revision history for this message
Martin Fox (badwolf9) wrote :

We are experiencing the same symptoms with sudo (v1.8.16) as have been previously reported in this bug.

On an Ubuntu 16.04 system short hostnames don't work in the sudoers file when the 'fqdn' option is true (as it is by default). The documentation indicates that the short form should still work with the fqdn option set.

Steps to reproduce:

On a system called 'ubuntu1604.example.com', put the following into sudoers:

%john ubuntu1604=(root) NOPASSWD: /bin/true
%john ubuntu1604.example.com=(root) NOPASSWD: /bin/false

Expected outcome:

sudo -l shows user 'john' is allowed to run:

    (root) /bin/true
    (root) /bin/false

Actual outcome:

sudo -l shows user 'john' is allowed to run:

    (root) /bin/false

sudo -l -U john -h ubuntu1604 shows user 'john' is allowed to run:

    (root) /bin/false

sudo -l -U test -h ubuntu1604.example.com shows user 'john' is allowed to run:

    (root) /bin/true
    (root) /bin/false

------
Sudo version 1.8.16
Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/var/run/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit
Sudoers policy plugin version 1.8.16

---------

root@bs-ubuntu1604:~# uname -a
Linux bs-ubuntu1604 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

---------

root@bs-ubuntu1604:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 bs-ubuntu1604.ethz.ch bs-ubuntu1604

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@bs-ubuntu1604:~# hostname
bs-ubuntu1604

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.