I'm trying to translate this sudoers file into LDAP:
Defaults env_reset, env_keep="LESSSECURE SSH_CLIENT", !authenticate, noexec, requiretty, secure_path=/usr/local/bin:/usr/bin:/usr/sbin
Cmnd_Alias DNS = /usr/local/bin/dnsmanager
Cmnd_Alias LOGS = /usr/bin/tail /var/log/named.log, /usr/bin/less /var/log/named.log
admin ALL = (root) EXEC: DNS, LOGS
Where I'm having trouble is the noexec default, and then applying EXEC to a specific command.
Here's what my LDIF looks like:
dn: cn=defaults,ou=sudoers,dc=r1,dc=internal
cn: defaults
objectClass: sudoRole
sudoOption: env_keep+="SSH_CLIENT LESSSECURE"
sudoOption: !authenticate
sudoOption: noexec
sudoOption: secure_path=/usr/local/bin:/usr/bin:/usr/sbin
dn: cn=%operator@bmo,ou=sudoers,dc=r1,dc=internal
cn: %operator@bmo
sudoUser: %operator
sudoHost: bmo
sudoRunAsUser: root
objectClass: sudoRole
sudoCommand: /usr/bin/less /var/log/named.log
sudoCommand: /usr/bin/tail /var/log/named.log
sudoCommand: EXEC:/usr/local/bin/dnsmanager
But users are unable to execute the dnsmanager command. If they run sudo -l they see it listed, but it looks like this:
User jsmith may run the following commands on bmo:
(root) /usr/bin/less /var/log/named.log, /usr/bin/tail /var/log/named.log,
EXEC\:/usr/local/bin/nsmanager
How can I avoid the colon being mangled so I can set the EXEC flag on the commands I want to?
