[Freeipa-devel] [PATCH] 916 make category and members mutually exclusive in Sudo
Martin Kosek
mkosek at redhat.com
Mon Jan 16 13:14:21 UTC 2012
On Mon, 2011-12-12 at 17:14 -0500, Rob Crittenden wrote:
> This patch makes all categories and their equivalent members mutually
> exclusive like in the HBAC plugin. So if you have usercat='all' you
> can't add users.
>
> Added test cases for these as well.
>
> I also modified the default list of attributes to include the RunAs
> attributes.
>
> rob
NACK. I see several issues in this patch:
1) Error messages should be internationalized since they can be read by
a user (this problem is in HBAC too)
2) All constructs like this one can be simplified (and thus made less
error prone).
+ if 'cmdcategory' in _entry_attrs and \
+ _entry_attrs['cmdcategory'][0].lower() == 'all':
+ raise errors.MutuallyExclusiveError(reason="commands cannot be added when command category='all'")
can be changed to:
+ if _entry_attrs.get('cmdcategory', [''])[0].lower() == 'all':
+ raise errors.MutuallyExclusiveError(...)
I think the code would be then also more readable.
3) I think this code only works by an accident :-)
+ if ('ipasudorunasusercategory' or 'ipasudorunasgroupcategory') \
+ in _entry_attrs and \
+ (_entry_attrs['ipasudorunasusercategory'][0].lower() == 'all' or \
+ _entry_attrs['ipasudorunasgroupcategory'][0].lower() == 'all'):
+ raise errors.MutuallyExclusiveError(reason="users cannot be added when runAs user or runAs group category='all'")
('ipasudorunasusercategory' or 'ipasudorunasgroupcategory') simply
returns 'ipasudorunasusercategory'. Thus the check for
'ipasudorunasgroupcategory' in _entry_attrs is not performed at all.
Thanks to this bug, user is then able to pass a runAsGroup to sudorule
with groupcat == 'all':
# ipa sudorule-add foo --runasgroupcat=all
---------------------
Added Sudo Rule "foo"
---------------------
Rule name: foo
Enabled: TRUE
RunAs Group category: all
# ipa sudorule-add-runasuser foo --groups=admins
Rule name: foo
Enabled: TRUE
RunAs Group category: all
Groups of RunAs Users: admins
-------------------------
Number of members added 1
-------------------------
A change proposed in 1) could make the change simpler:
+ if _entry_attrs.get('ipasudorunasusercategory', [''])[0].lower() == 'all' or \
+ _entry_attrs.get('ipasudorunasgroupcategory', [''])[0].lower() == 'all':
+ raise ...
Martin
More information about the Freeipa-devel
mailing list