[Freeipa-devel] Sudo Schema Bug/Feature

Rob Crittenden rcritten at redhat.com
Mon Oct 4 21:02:27 UTC 2010 

Dmitri Pal wrote:
> Dmitri Pal wrote:
>> Dmitri Pal wrote:
>>
>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ?
>>>>
>>>>
>>>>
>>> So it looks like current schema would not fly well with SUDO due to SUDO
>>> bug/feature. SUDO will match just any first rule that satisfies the
>>> user-hpost-command combination but we can't guarantee that rules come in
>>> the same order. So there is a possibility that allow rule will come
>>> before deny rule in our case and will be matched.
>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to
>>> alter the schema to be able to express allowed and not allowed commands
>>> in one rule.
>>> It will be up to the admin to know the limitations of SUDO based on the
>>> documentation we provide and construct the rules in a non contradicting
>>> way. We might be able to add some nice checks in future.
>>>
>>> So here is current schema:
>>>
>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD
>>>                  NAME 'ipaSudoRule'
>>>                  SUP ipaAssociation
>>>                  STRUCTURAL
>>>                  MUST accessRuleType
>>>                  MAY ( externalUser $
>>>                        externalHost $ hostMask $
>>>                        memberCmd $ cmdCategory $
>>>                        ipaSudoOpt $
>>>                        ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $
>>>                        ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory )
>>>                  X-ORIGIN 'IPA v2' )
>>>
>>>
>>> We will :
>>> * Remove accessRuleType
>>> * Add memberNotCmd same a memberCmd
>>>
>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD
>>>                   NAME 'memberNotCmd'
>>>                   DESC 'Reference to a command or group of the commands that is not allowed.'
>>>                   SUP distinguishedName
>>>                   EQUALITY distinguishedNameMatch
>>>                   ORDERING distinguishedNameMatch
>>>                   SUBSTR distinguishedNameMatch
>>>                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>>                   X-ORIGIN 'IPA v2' )
>>>
>>>
>>> The logic then will be:
>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
>>> no command is allowed
>>> * If cmdCategory is specified (only value is "all") all other attributes
>>> are ignored and all commands are allowed
>>> * If cmdCategory is not specified
>>>       * If memberCmd is specified it defines commands or groups of the
>>> commands that are allowed
>>>       * If memberNotCmd is specified it defines commands or groups of the
>>> commands that are not allowed
>>>       Both attributes are allowed at the same time defining allowed and
>>> not allowed commands within the same rule.
>>>
>>> This does not solve the problem fully but at least gets us into the same
>>> boat as current SUDO schema.
>>>
>>> Comments welcome!
>>> If there are no objections by end of Friday I will craft a patch over
>>> the weekend.
>>>
>>> Thanks
>>> Dmitri
>>>
>>>
>>>
>>>
>>
>> I updated the wiki and implemented the change.
>> Patch is attached.
>>
>>
>>
>>
>
> Rebased patch attached.

ack, pushed to master.

JR, can you fix up the sudo plugins to match this new schema?

thanks

rob

More information about the Freeipa-devel mailing list