Warning

This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.

SUDO caching rules

Important sudo attributes

sudoHost - to what host does the rule apply
- ALL - all hostnames
- hostname
- IP address
- +netgroup
- regular expression - contains one of “\?*[]”
sudoUser - to what user does the rule apply
- username
- #uid
- %group
- +netgroup
sudoOrder - rules ordering
sudoNotBefore and sudoNotAfter - time constraints

Complete LDAP schema can be found here.

Common

Per host update

Per host update returns all rules that:

sudoHost equals to ALL
direct match with sudoHost (by hostname or address)
contains regular expression (will be filtered by sudo)
contains netgroup (will be filtered by sudo)

Hostname match is performed in sudo source in plugin/sudoers/ldap.c/sudo_ldap_check_host().

Per user update

Per user update returns all rules that:

sudoUser equals to ALL
direct match with username, #uid or %group names
contains +netgroup (will be filtered by sudo)

Username match is performed via LADP filter in sudo source in plugin/sudoers/ldap.c/sudo_ldap_result_get().

Smart refresh

Download only rules that were modified or newly created since the last refresh.

Implementation

We will be looking for modified and newly created rules in short intervals. Expiration of the rules is handled per user during the execution time of sudo. We will also do periodical full refresh to ensure consistency even if the sudo command is not used.

SysDB attributes

sudoLastSmartRefreshTime on ou=SUDOers - when the last smart
refresh was performed
sudoLastFullRefreshTime on ou=SUDOers - when the last full
refresh was performed
sudoNextFullRefreshTime on ou=SUDOers - when the next full is
scheduled
dataExpireTimestamp on each rule - when the rule will be
considered as expired

Data provider

Data provider will be performing following actions:

A. Periodical download of changed or newly created rules (per host smart refresh)

Interval is configurable via ldap_sudo_changed_refresh_interval (default: 15 minutes)

Enable modifyTimestamp with ldap_sudo_modify_timestamp_enabled (default: false)

if server has changed then do C
else if entryUSN is available then
1. refresh rules per host, where entryUSN > currentHighestUSN
2. goto 3.2.
else if modifyTimestamp is enabled then
1. refresh rules per host, where entryUSN > currentHighestUSN
2. sudoLastSmartRefreshTime := current time
3. nextrefresh := (current time + ldap_sudo_changed_refresh_interval)
4. if nextrefresh >= sudoNextFullRefreshTime AND nextrefresh < (sudoNextFullRefreshTime + ldap_sudo_changed_refresh_interval) then
  1. nextrefresh := (sudoNextFullRefreshTime + ldap_sudo_changed_refresh_interval)
5. schedule next smart refresh
else do nothing

B. Periodical full refresh of all rules

Configurable via ldap_sudo_full_refresh_interval (default: 360 minutes)

do C
sudoLastFullRefreshTime := current time
sudoNextFullRefreshTime := (current time + ldap_sudo_full_refresh_interval)
schedule next full refresh

C. On demand full refresh of all rules

Download all rules per host
Deletes all rules from the sysdb
Store downloaded rule in the sysdb

D. On demand refresh of specific rules

Download the rules
Delete them from the sysdb
Store downloaded rule in the sysdb

Responder

sudo_timed (default: false) - filter rules by time constraints?

search sysdb per user
refresh all expired rules
if any rule was deleted then
1. schedule C (out of band)
2. search sysdb per user
if sudo_timed = false then filter rules by time constraints
sort rules
return rules to sudo

Questions

Should we also do per user smart updates when the user runs sudo?
Should we create a tool to force full refresh of the rules immediately?