[Freeipa-devel] Sudo Schema Bug
JR Aquino
JR.Aquino at citrixonline.com
Wed Sep 29 17:44:53 UTC 2010
I believe we have made an oversight in the way that sudo processes 'deny' or negations via ldap...
Currently our IPA sudo Schema has ipasudorule objects set to contain an attribute: accessRuleType
Unfortunately, sudo does not have a means to do a 'deny' in this way...
For a command, user, or host to be 'denied' it must be proceeded with an exclamation point: !
Due to the RFC, LDAP will return entries in an arbitrary order, as such sudo will do first match on the "!" negations. However, this is only true within the same Rule, I.E. if a user belongs to multiple groups, one which allows the command, and separate one which negates the command, sudo can and will pass or fail depending on which object ldap returns back for the search results.
It occurs to me that we have 2 ways to proceed.
0) I suggest we remove the attribute: accessRuleType from ipasudorule.
1) Add the attribute: accessRuleType to ipasudocmdgrp.
-This has the benefit of not having to duplicate new ipasudocmd's only to prepend a "!" in front of them since an ipasudorule can contain multiple ipasudocmdgrp's.
I.E. /usr/bin/less can be added to an 'allow' command group and remain unchanged, but when also added to a 'deny' command group, the compat layer should prepend the "!" for us.
Please let me know if anyone has any objections or observations.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>
More information about the Freeipa-devel
mailing list