StarlingX

Debain: ldap user is not added to sudoers list

Bug #1980140 reported by Andy on 2022-06-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Andy

Bug Description

Brief Description
-----------------
ldap user "admin", as well as newly created ldap user with sudo enabled, are not in sudoer list. They can't run command with sudo.

Severity
--------
Major: ldap users with sudo enabled can't run command with sudo

Steps to Reproduce
------------------
- create a ldap user by ldapusersetup, with the following option set to "yes":
Add <username> to sudoer list? (yes/NO): yes

- login to the system by the newly created ldap user.
- run sudo ls

Expected Behavior
------------------
"sudo ls" succeed.

Actual Behavior
----------------
"sudo ls" failed with error:

ldapuser06@controller-0:~$ sudo ls
Password:
<username> is not in the sudoers file. This incident will be reported.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
stx master latest.

Last Pass
---------
Always pass on CentOS. Unknown on Debian.

Timestamp/Logs
--------------
See "Steps to Reproduce".

Test Activity
-------------
Regression Testing

Workaround
----------
NA

Tags:

Andy (andy.wrs) on 2022-06-28

Changed in starlingx:
assignee:	nobody → Andy (andy.wrs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-28: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/848023

Changed in starlingx:
status:	New → In Progress

Ghada Khalil (gkhalil) on 2022-06-28

tags:

added: stx.debian stx.security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-29: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/848023
Committed: https://opendev.org/starlingx/tools/commit/33fac16e85e4b6f9c694dfaa6a6868ac1763af0d
Submitter: "Zuul (22348)"
Branch: master

commit 33fac16e85e4b6f9c694dfaa6a6868ac1763af0d
Author: Andy Ning <email address hidden>
Date: Tue Jun 28 14:48:08 2022 -0400

Debian: replace package sudo with sudo-ldap

    The current sudo package doesn't compiled with LDAP support.
    Replace it with sudo-ldap which allows an equivalent of the
    sudoers database to be distributed via LDAP. With sudo-ldap,
    ldap users created with sudo privilege can run commands with
    sudo.

    Test Plan on Debian:
    PASS: image build.
    PASS: system bootstrap, unlock.
    PASS: create ldap users with sudo privilege, login system
          by the user, run sudo such as "sudo ls", observe the
          commands run successfully.

    Closes-Bug: 1980140
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Ia115022c293205b9c70d3fb8696ac8f3050f0f63

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2022-07-01

Changed in starlingx:
importance:	Undecided → Medium
tags:	added: stx.7.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.