[Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option
JR Aquino
JR.Aquino at citrix.com
Tue Jun 14 23:30:37 UTC 2011
On Jun 14, 2011, at 11:06 AM, Rob Crittenden wrote:
> JR Aquino wrote:
>> On Jun 10, 2011, at 3:11 PM, JR Aquino wrote:
>>
>>> On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote:
>>>
>>>> JR Aquino wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/1277
>>>>>
>>>>> Raise DuplicateEntry Error when adding a duplicate sudo option
>>>>
>>>> nack, this will still fail if no ipasudoopt is passed in.
>>>>
>>>> Also, is this case-sensitive?
>>>
>>> Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK)
>>>
>>> Here is an adjusted patch to account for no ipasudoopt as well as an empty space.
>>>
>>> <freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch>
>>
>>
>> Minor correction: Addressed the 1 character change needed to address #1276
>>
>> Added notes to indicate this patch fixes:
>> #1276 (Removed option from Sudo rule message is displayed even when the given option doesn't exist.)
>> #1277 (Added option to Sudo rule message is displayed even when the given option already exists.)
>> #1308 (Internal error while removing sudorule option without "--sudooption")
>>
>
> NACK
>
> $ ipa sudorule-add test
> ----------------------
> Added sudo rule "test"
> ----------------------
> Rule name: test
> Enabled: TRUE
> $ ipa sudorule-remove-option test --sudooption=foo
> -----------------------
> sudorule-remove-option:
> -----------------------
> Rule name: test
> ipa: ERROR: KeyError: 'ipasudoopt'
> Traceback (most recent call last):
> File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 1141, in run
> sys.exit(api.Backend.cli.run(argv))
> File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 965, in run
> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/sudorule.py", line 675, in output_for_cli
> textui.print_attribute('Sudo Options', result['result']['ipasudoopt'])
> KeyError: 'ipasudoopt'
> ipa: ERROR: an internal error has occurred
>
> Is this legal?
>
> $ ipa sudorule-add-option test --sudooption=foo
> --------------------
> sudorule-add-option:
> --------------------
> Rule name: test
> Sudo Options: foo
> $ ipa sudorule-add-option test --sudooption=foo
> ipa: ERROR: This entry already exists
> $ ipa sudorule-add-option test --sudooption=FOO
> --------------------
> sudorule-add-option:
> --------------------
> Rule name: test
> Sudo Options: foo
> Sudo Options: FOO
This is legal ^ Or if you like double negatives, this is not illegal.
However, the only options that will be respected are listed: http://www.gratisoft.us/sudo/man/1.8.1/sudoers.man.html in the SUDOERS OPTIONS section. Some of the values can be singular like:
"sudoOption: !authenticate" which will allow you to run sudo without a password or "sudoOption: iolog_dir=/var/log/sudo-playback"
>
> I also noticed that ipasudoopt doesn't have a label and isn't shown in the rule by default.
Here is a corrected patch to address the KeyError and the display issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch
Type: application/octet-stream
Size: 4309 bytes
Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110614/e80e042d/attachment.obj>
More information about the Freeipa-devel
mailing list