[Freeipa-devel] Sudo Schema Bug/Feature
Dmitri Pal
dpal at redhat.com
Mon Oct 4 20:47:03 UTC 2010
Dmitri Pal wrote:
> Dmitri Pal wrote:
>
>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ?
>>>
>>>
>>>
>> So it looks like current schema would not fly well with SUDO due to SUDO
>> bug/feature. SUDO will match just any first rule that satisfies the
>> user-hpost-command combination but we can't guarantee that rules come in
>> the same order. So there is a possibility that allow rule will come
>> before deny rule in our case and will be matched.
>> It is unfortunate and should be fixed by SUDO. In a meantime we need to
>> alter the schema to be able to express allowed and not allowed commands
>> in one rule.
>> It will be up to the admin to know the limitations of SUDO based on the
>> documentation we provide and construct the rules in a non contradicting
>> way. We might be able to add some nice checks in future.
>>
>> So here is current schema:
>>
>> objectClasses: (2.16.840.1.113730.3.8.8.TBD
>> NAME 'ipaSudoRule'
>> SUP ipaAssociation
>> STRUCTURAL
>> MUST accessRuleType
>> MAY ( externalUser $
>> externalHost $ hostMask $
>> memberCmd $ cmdCategory $
>> ipaSudoOpt $
>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $
>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory )
>> X-ORIGIN 'IPA v2' )
>>
>>
>> We will :
>> * Remove accessRuleType
>> * Add memberNotCmd same a memberCmd
>>
>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD
>> NAME 'memberNotCmd'
>> DESC 'Reference to a command or group of the commands that is not allowed.'
>> SUP distinguishedName
>> EQUALITY distinguishedNameMatch
>> ORDERING distinguishedNameMatch
>> SUBSTR distinguishedNameMatch
>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>> X-ORIGIN 'IPA v2' )
>>
>>
>> The logic then will be:
>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
>> no command is allowed
>> * If cmdCategory is specified (only value is "all") all other attributes
>> are ignored and all commands are allowed
>> * If cmdCategory is not specified
>> * If memberCmd is specified it defines commands or groups of the
>> commands that are allowed
>> * If memberNotCmd is specified it defines commands or groups of the
>> commands that are not allowed
>> Both attributes are allowed at the same time defining allowed and
>> not allowed commands within the same rule.
>>
>> This does not solve the problem fully but at least gets us into the same
>> boat as current SUDO schema.
>>
>> Comments welcome!
>> If there are no objections by end of Friday I will craft a patch over
>> the weekend.
>>
>> Thanks
>> Dmitri
>>
>>
>>
>>
>
> I updated the wiki and implemented the change.
> Patch is attached.
>
>
>
>
Rebased patch attached.
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>>
>>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001--SUDO-Allow-and-deny-commands-in-one-rule.patch
Type: text/x-patch
Size: 8053 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101004/53e062b8/attachment.bin>
More information about the Freeipa-devel
mailing list