Warning
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.
SUDO caching rules
Important sudo attributes
sudoHost - to what host does the rule apply
ALL - all hostnames
hostname
IP address
+netgroup
regular expression - contains one of “\?*[]”
sudoUser - to what user does the rule apply
username
#uid
%group
+netgroup
sudoOrder - rules ordering
sudoNotBefore and sudoNotAfter - time constraints
Complete LDAP schema can be found here.
Common
Per host update
Per host update returns all rules that:
sudoHost equals to ALL
direct match with sudoHost (by hostname or address)
contains regular expression (will be filtered by sudo)
contains netgroup (will be filtered by sudo)
Hostname match is performed in sudo source in plugin/sudoers/ldap.c/sudo_ldap_check_host().
Per user update
Per user update returns all rules that:
sudoUser equals to ALL
direct match with username, #uid or %group names
contains +netgroup (will be filtered by sudo)
Username match is performed via LADP filter in sudo source in plugin/sudoers/ldap.c/sudo_ldap_result_get().
Smart refresh
Download only rules that were modified or newly created since the last refresh.
Implementation
We will be looking for modified and newly created rules in short intervals. Expiration of the rules is handled per user during the execution time of sudo. We will also do periodical full refresh to ensure consistency even if the sudo command is not used.
SysDB attributes
Data provider
Data provider will be performing following actions:
A. Periodical download of changed or newly created rules (per host smart refresh)
if server has changed then do C
else if entryUSN is available then
refresh rules per host, where entryUSN > currentHighestUSN
goto 3.2.
else if modifyTimestamp is enabled then
refresh rules per host, where entryUSN > currentHighestUSN
sudoLastSmartRefreshTime := current time
nextrefresh := (current time + ldap_sudo_changed_refresh_interval)
if nextrefresh >= sudoNextFullRefreshTime AND nextrefresh < (sudoNextFullRefreshTime + ldap_sudo_changed_refresh_interval) then
nextrefresh := (sudoNextFullRefreshTime + ldap_sudo_changed_refresh_interval)
schedule next smart refresh
else do nothing
B. Periodical full refresh of all rules
Configurable via ldap_sudo_full_refresh_interval (default: 360 minutes)
do C
sudoLastFullRefreshTime := current time
sudoNextFullRefreshTime := (current time + ldap_sudo_full_refresh_interval)
schedule next full refresh
C. On demand full refresh of all rules
Download all rules per host
Deletes all rules from the sysdb
Store downloaded rule in the sysdb
D. On demand refresh of specific rules
Download the rules
Delete them from the sysdb
Store downloaded rule in the sysdb
Responder
sudo_timed (default: false) - filter rules by time constraints?
search sysdb per user
refresh all expired rules
if any rule was deleted then
schedule C (out of band)
search sysdb per user
if sudo_timed = false then filter rules by time constraints
sort rules
return rules to sudo
Questions
Should we also do per user smart updates when the user runs sudo?
Should we create a tool to force full refresh of the rules immediately?