[Freeipa-devel] [PATCH] 0032 Validate sudo RunAsUser/RunAsGroup arguments
Rob Crittenden
rcritten at redhat.com
Fri Jan 13 03:36:52 UTC 2012
Alexander Bokovoy wrote:
> On Thu, 15 Dec 2011, Rob Crittenden wrote:
>>> If this is acceptable, I can do refactoring in a different ticket.
>>
>> NACK.
>>
>> We still have the value passed in by the user, right (in
>> options['user'] and options['group'])? We basically take that,
>> create a DN out of it, then pull the same value out. Why not skip
>> all that and just look at the raw values instead?
>>
>> Or there is already a helper to get the key out of a dn, see
>> self.Object.user.get_primary_key_from_dn(str(group))
>>
>> Also, I found this doesn't handle a list of users or groups. If you
>> pass in --users=joe,all then both get added as external users
>> (assuming joe doesn't already exist, of course).
> Refactored the patch using original values from options[]:
>
> $ ipa sudorule-add-runasuser testr --group=all
> ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a group name
> $ ipa sudorule-add-runasuser testr --group=admins,all
> ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a group name
> $ ipa sudorule-add-runasuser testr --user=admin,all
> ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a user name
> $ ipa sudorule-add-runasgroup testr --group=admin,all
> ipa: ERROR: invalid 'runas-group': RunAsGroup does not accept 'all' as a group name
>
> Accepts a single value or a list.
>
> This is a patch against master (should apply to ipa-2-2 w/o issues).
Tested in 2-2, works fine. ACK.
rob
More information about the Freeipa-devel
mailing list