Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 113817 - non standard sudo ldap config file used by default
Summary: non standard sudo ldap config file used by default
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Andrea Barisani (RETIRED)
Depends on:
Reported: 2005-11-28 10:38 UTC by Jason Pepas
Modified: 2005-11-28 13:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jason Pepas 2005-11-28 10:38:52 UTC
Sudo under gentoo uses /etc/ldap.conf.sudo by default.  This is unexpected behavior.

Brian Vargas in bug 107634 stated:
"Actually, the configuration file is intentionally set to ldap.conf.sudo so that
the sudoers information can be read-only, in the same way that /etc/sudoers is
usually read-only.

Simply symlinking and changing the permissions leaves yourself less secure."

So, it looks like this was done for a reason.  However, it would be nice if this
behavior were instead enabled via a USE flag.

perhaps wrap "$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)" with "if use
ldap_conf_file" or similar?

Reproducible: Always
Steps to Reproduce:
Comment 1 Jason Pepas 2005-11-28 10:44:49 UTC
or rather, simply change that line to:

$(use_with alternate_ldap_config ldap_conf_file /etc/ldap.conf.sudo)

or similar.
Comment 2 Andrea Barisani (RETIRED) gentoo-dev 2005-11-28 13:04:49 UTC
This behaviour is specified in a post_install warning and leaving a world
readable ldap.conf is an insecure practice because it's just like having
a world readable /etc/sudoers. So I don't think we should allow the option
to have an unsafe configuration.

ccing taviso for another opinion about this and closing as WONTFIX, we'll reopen
if necessary.