[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
Petr Viktorin
pviktori at redhat.com
Wed Apr 9 13:56:34 UTC 2014
On 04/09/2014 10:31 AM, Martin Kosek wrote:
> On 04/08/2014 05:19 PM, Petr Viktorin wrote:
>> On 04/08/2014 12:46 PM, Martin Kosek wrote:
>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>>> On 04/07/2014 01:30 PM, Martin Kosek wrote:
>>>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>>>> Hello,
>>>>>> This adds read permissions to read Sudo commands, command groups, rules.
>>>>>>
>>>>>> Read access is given to all authenticated users.
>>>>>
>>>>> Looks good. What about "ou=sudoers"? I think we should also allow it in this
>>>>> patch for authenticated users. This is the tree that clients use to read sudo.
>>>>
>>>> This new version does that. It needs my patches 0508-0509 since the ou=sudoers
>>>> permission is not tied to a specific Object plugin.
>>>>
>>>
>>> I would also allow 'ou', otherwise an authenticated user cannot read the
>>> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
>>
>> Right, I wonder how I missed that.
>>
>> New patch attached; it needs 0508-0509.2.
>>
>
> Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
> attribute? It is part of sudoRole objectclass:
>
> objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries'
> SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun
> As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft
> er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )
>
> but we seem to not generate it in our compat plugin though. But as it is part
> of the objectclass, I would rather add it to avoid any mistakes.
>
> If you add it, it's an ACK from me.
>
> Martin
>
Thanks for the catch. Added, along with description.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0504.4-Add-managed-read-permissions-to-Sudo-objects.patch
Type: text/x-patch
Size: 5221 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140409/8091a0a4/attachment.bin>
More information about the Freeipa-devel
mailing list