Author Archives: admin

sudo: pcre support for sudoers rules

In order to be more flexible in sudoer rules, I added pcre support to sudo (sudo-pcre.patch).

A pcre enabled sudo can e.g. use the following rules:
# only allow restart and status parameters for some initscripts
%operating ALL = /sbin/service (clamd|postfix|dhcpd|amavisd|postgrey) (restart|status)
# only allow to change password for usernames starting with a two numbers
%operating ALL = /usr/sbin/ [0-9][0-9][a-z-]+

Apache httpd ldap-auth: canonicalize usernames

I created a patch for Apache httpd for ldap-authentication (reported upstream as bug #646646). In my scenario I used

AuthLDAPRemoteUserAttribute uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthBasicProvider ldap

require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de

We always used lowercased usernames in memberUid. Some users tended to enter their usernames with a leading uppercase char. Password authentication worked, however, memberUid (from posixGroup, which is also used by samba domain groups) is case sensitive – so group authorization failed.

In order to fix this issue I created a patch for Apache httpd which allows to configure that the username Apache httpd uses is replaced by the “AuthLDAPRemoteUserAttribute”-field value of the ldap-result. This also helps to canonicalize usernames (in logs and REQUEST_USER environ variable) in the way that always the same casing and also for (ldap-)aliases the same username is used.


For my studies I had to give a seminar on a topic of my choice. So I chose to speak about malware (slides, in German).