[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

Petr Viktorin pviktori at redhat.com
Tue Apr 8 15:19:03 UTC 2014

On 04/08/2014 12:46 PM, Martin Kosek wrote:
> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>> On 04/07/2014 01:30 PM, Martin Kosek wrote:
>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>> Hello,
>>>> This adds read permissions to read Sudo commands, command groups, rules.
>>>> Read access is given to all authenticated users.
>>> Looks good. What about "ou=sudoers"? I think we should also allow it in this
>>> patch for authenticated users. This is the tree that clients use to read sudo.
>> This new version does that. It needs my patches 0508-0509 since the ou=sudoers
>> permission is not tied to a specific Object plugin.
> I would also allow 'ou', otherwise an authenticated user cannot read the
> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.

Right, I wonder how I missed that.

New patch attached; it needs 0508-0509.2.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0504.3-Add-managed-read-permissions-to-Sudo-objects-and-ou-.patch
Type: text/x-patch
Size: 5207 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/ecc96456/attachment.bin>

More information about the Freeipa-devel mailing list