[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
Martin Kosek
mkosek at redhat.com
Wed Apr 9 08:31:58 UTC 2014
On 04/08/2014 05:19 PM, Petr Viktorin wrote:
> On 04/08/2014 12:46 PM, Martin Kosek wrote:
>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>> On 04/07/2014 01:30 PM, Martin Kosek wrote:
>>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>>> Hello,
>>>>> This adds read permissions to read Sudo commands, command groups, rules.
>>>>>
>>>>> Read access is given to all authenticated users.
>>>>
>>>> Looks good. What about "ou=sudoers"? I think we should also allow it in this
>>>> patch for authenticated users. This is the tree that clients use to read sudo.
>>>
>>> This new version does that. It needs my patches 0508-0509 since the ou=sudoers
>>> permission is not tied to a specific Object plugin.
>>>
>>
>> I would also allow 'ou', otherwise an authenticated user cannot read the
>> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
>
> Right, I wonder how I missed that.
>
> New patch attached; it needs 0508-0509.2.
>
Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
attribute? It is part of sudoRole objectclass:
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries'
SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun
As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft
er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )
but we seem to not generate it in our compat plugin though. But as it is part
of the objectclass, I would rather add it to avoid any mistakes.
If you add it, it's an ACK from me.
Martin
More information about the Freeipa-devel
mailing list