[Freeipa-devel] [PATCH] 0032 Validate sudo RunAsUser/RunAsGroup arguments

Alexander Bokovoy abokovoy at redhat.com
Mon Nov 14 09:32:44 UTC 2011 

Hi,

FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.

The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL or all arguments
are empty.

Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496

One thing I'm not sure about is blocking all variants of the reserved 
word 'ALL'. The patch blocks them all due to the fact that most likely 
any of 'all', 'All', 'ALL', 'aLL', and so on are mistyping but there 
are might be valid cases when group or user is called 'all'.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 726dee0d53736f7ec42569e6f65e112f663a7fb8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 14 Nov 2011 11:23:19 +0200
Subject: [PATCH] Validate sudo RunAsUser/RunAsGroup arguments

FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.

The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL or all arguments
are empty.

Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496
---
 ipalib/plugins/sudorule.py |   52 ++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 52 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 93ca03f0170d922b91eff45ec2f42871336973f1..b5a3b4352f6e749a02c175efd698341667e3b610 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -479,6 +479,35 @@ class sudorule_add_runasuser(LDAPAddMember):
     member_attributes = ['ipasudorunas']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas[0].value)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'ipasudorunas' in entry_attrs:
+            # Map group and user options. If option value is missing, runas_* will
+            # be set to False. The ordering is group, user and values are
+            # DNs already so we'll use DN class for extracting actual CN.
+            (runas_group, runas_user) = map(lambda x: len(x)>0 and x[0], entry_attrs['ipasudorunas'].values())
+            if runas_group:
+                group = DN(runas_group)
+                if not check_validity(group):
+                    raise errors.ValidationError(name='runas-group',
+                            error=unicode(_("RunAsUser does not accept '%s' as a group name")) % (group[0].value))
+            if runas_user:
+                user = DN(runas_user)
+                if not check_validity(user):
+                    raise errors.ValidationError(name='runas-user',
+                            error=unicode(_("RunAsUser does not accept '%s' as a user name")) % (user[0].value))
+
+            if runas_group == False and runas_user == False:
+                raise errors.ValidationError(name='runas-empty',
+                        error=unicode(_("RunAsUser does not accept empty group and user names")))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the user failures. We assume that these are all
@@ -547,6 +576,29 @@ class sudorule_add_runasgroup(LDAPAddMember):
     member_attributes = ['ipasudorunasgroup']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas[0].value)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'ipasudorunasgroup' in entry_attrs:
+            # Extract group DN. If it is empty, runas_group will be set to False. 
+            # We'll use DN class to extract actual CN we are interested in.
+            runas_group = entry_attrs['ipasudorunasgroup']['group']
+            runas_group = len(runas_group)>0 and runas_group[0]
+            if runas_group:
+                group = DN(runas_group)
+                if not check_validity(group):
+                    raise errors.ValidationError(name='runas-group',
+                            error=unicode(_("RunAsGroup does not accept '%s' as a group name")) % (group[0].value))
+            else:
+                raise errors.ValidationError(name='runas-empty',
+                        error=unicode(_("RunAsGroup does not accept empty group name")))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the group failures. We assume that these are all
-- 
1.7.7.2

More information about the Freeipa-devel mailing list