[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects

Martin Kosek mkosek at redhat.com
Wed Apr 9 08:31:58 UTC 2014

On 04/08/2014 05:19 PM, Petr Viktorin wrote:
> On 04/08/2014 12:46 PM, Martin Kosek wrote:
>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>> On 04/07/2014 01:30 PM, Martin Kosek wrote:
>>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>>> Hello,
>>>>> This adds read permissions to read Sudo commands, command groups, rules.
>>>>> Read access is given to all authenticated users.
>>>> Looks good. What about "ou=sudoers"? I think we should also allow it in this
>>>> patch for authenticated users. This is the tree that clients use to read sudo.
>>> This new version does that. It needs my patches 0508-0509 since the ou=sudoers
>>> permission is not tied to a specific Object plugin.
>> I would also allow 'ou', otherwise an authenticated user cannot read the
>> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
> Right, I wonder how I missed that.
> New patch attached; it needs 0508-0509.2.

Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
attribute? It is part of sudoRole objectclass:

objectClasses: ( NAME 'sudoRole' DESC 'Sudoer Entries'
  SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun
 As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft
 er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )

but we seem to not generate it in our compat plugin though. But as it is part
of the objectclass, I would rather add it to avoid any mistakes.

If you add it, it's an ACK from me.


More information about the Freeipa-devel mailing list