[Freeipa-devel] Sudo Schema Bug/Feature
JR Aquino
JR.Aquino at citrixonline.com
Thu Sep 30 14:44:08 UTC 2010
On Sep 30, 2010, at 6:17 AM, <freeipa-devel-request at redhat.com<mailto:freeipa-devel-request at redhat.com>> <freeipa-devel-request at redhat.com<mailto:freeipa-devel-request at redhat.com>> wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are conflicting command rules on an entry, the negative takes
precedence.'
the "expected" (at least that's what I had expected) behavior is better
described by
"If there are conflicting command rules on an entry OR ON DIFFERENT
MATCHING ENTRIES, the negative takes precedence."
I would say this is a bug in sudo and should be fixed.
Maybe we can tweak the plugins of the IPA server in a way that the deny
rules are always send first (and hope that the client libraries do not
change the order of the entries :-).
While I agree that it is a subtle and frustrating bug/feature, I think that it is important to consider a few things...
0) We do not maintain sudo, and it benefits the community if we maintain solutions that accommodate the current sudo code base in the interim until Todd commits features that we pioneer... (Get rid of NisNetgroups Todd!)
1) Administratively, it may be confusing to find out that someone is being prohibited by a contradictory 'deny' object somewhere in the directory rather than contained in the same rule that their permissive rules are defined.
2) Generally speaking, it may be in our best interest to encourage users NOT to duplicate (users/hosts) in multiple sudoRule objects in the database with mixed access rights... Sudo has an implicit Deny by default. While it may be possible to force FreeIPA to return 'deny' rules ahead of permissive ones, if a there are a pair of rules that contain the same users and hosts, but have different commands present, a match will STILL occur, and a deny will STILL randomly take place.
I foresee the need of the community to use FreeIPA with clients that do not have SSSD present and that are using sudo provided via their distribution.
We should anticipate how the original Sudo responds, otherwise we risk designing a system that is only functional if our user base subscribes to ALL of our software components.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>
More information about the Freeipa-devel
mailing list