[Freeipa-devel] Sudo Schema Bug/Feature

Thu Sep 30 16:37:31 UTC 2010

> On Sep 30, 2010, at 6:17 AM, <freeipa-devel-request at redhat.com<mailto:freeipa-devel-request at redhat.com>> <freeipa-devel-request at redhat.com<mailto:freeipa-devel-request at redhat.com>> wrote:
> 
> I think this behaviour is a contradiction to 'paranoid behavior'. I
> think that instead of
> 
> 'If there are conflicting command rules on an entry, the negative takes
> precedence.'
> 
> the "expected" (at least that's what I had expected) behavior is better
> described by
> 
> "If there are conflicting command rules on an entry OR ON DIFFERENT
> MATCHING ENTRIES, the negative takes precedence."
> 
> I would say this is a bug in sudo and should be fixed.
> 
> Maybe we can tweak the plugins of the IPA server in a way that the deny
> rules are always send first (and hope that the client libraries do not
> change the order of the entries :-).
> 

On Thu, Sep 30, 2010 at 07:44:08AM -0700, JR Aquino wrote:
> While I agree that it is a subtle and frustrating bug/feature, I think that it is important to consider a few things...
> 
> 0) We do not maintain sudo, and it benefits the community if we maintain solutions that accommodate the current sudo code base in the interim until Todd commits features that we pioneer... (Get rid of NisNetgroups Todd!)

I agree, I only made the suggestion about the IPA server, because I
think that this "feature" is a bug in the current sudo code base, an
annoying bug at best and a serious security issue at worst.

> 
> 1) Administratively, it may be confusing to find out that someone is being prohibited by a contradictory 'deny' object somewhere in the directory rather than contained in the same rule that their permissive rules are defined.

yes, but it is also confusing if the permission to execute a command is
arbitrarily granted or denied. Maybe I'm a bit paranoid here, but I
think if a user cannot run a command he will complain and if he should
really be allowed to run it the rule can be fixed. If he can run a
command he is not allowed to use, he will not complain and only an
extensive audit might help to detect it. So I think a 'deny' rule always
win no matter where it can be found in the tree.

> 
> 2) Generally speaking, it may be in our best interest to encourage users NOT to duplicate (users/hosts) in multiple sudoRule objects in the database with mixed access rights... Sudo has an implicit Deny by default.  While it may be possible to force FreeIPA to return 'deny' rules ahead of permissive ones, if a there are a pair of rules that contain the same users and hosts, but have different commands present, a match will STILL occur, and a deny will STILL randomly take place.

btw. I cannot reproduce your issue where a command is denied where only
user and host is matching, can you give an example where this is
happening? Thanks

bye,
Sumit

> 
> I foresee the need of the community to use FreeIPA with clients that do not have SSSD present and that are using sudo provided via their distribution.
> 
> We should anticipate how the original Sudo responds, otherwise we risk designing a system that is only functional if our user base subscribes to ALL of our software components.
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
> T:  +1 805.690.3478
> jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
> http://www.citrixonline.com<http://www.citrixonline.com/>
> 