[Freeipa-devel] Sudoers schema

Dmitri Pal dpal at redhat.com
Tue Aug 3 23:29:14 UTC 2010 

JR Aquino wrote:
> ~ipaSudoComand~
>
> I'd like to know what the group thinks about the possibility of using ipaSudoComand as a DN to an object containing sudoCommand attributes, rather than just being a static attribute itself.
>
> I believe this is already being done/suggested in a similar manor with memberUser and memberHost.
>
> We found here at Citrix Online that the Role's tend to reuse all 3 elements pretty heavily: userGroups, hostGroups, and commandGroups.
>
> For PCI-DSS reasons, it tends to make it a lot easier to say:
>
> "These groups of users have login rights to these  groups of hosts, and are permitted to sudo these groups of commands."
>
> Rather then having to search for individual attribute entries in the role objects themselves.
>
>   

That was the original design, however I was told that this is not
something people will be interested in. Thanks for you data point but to
change it we probably need couple more data points and comments.

> ~hostMask~
>
> I feel inclined to agree with Dmitri regarding a deferral on the hostMask attribute for resource sake.  I tend to see the data center design to stick closer to hostname utilization, rather than subnets... I.E. people tend to put a mixed bag of servers in the same subnet, but they tend to make sure that like servers have similar hostnames or sane hostnames that can have a floating IP address in the case of clusering, or high-availability, etc, etc.  That is just my observation. Feel free to correct me if I am grossly out of spec for the rest of the industry.
>   

This will really be a relieve not to support it for now.

> ~Using memberUser as slight of hand over netgroups~
>
> It's my understanding that the sudo source does a "getent netgroup" style of lookup to search ldap for the netgroup... if that is correct, it may indeed be necessary to utilize the compat function to share the hostgroups with sudo...
>
> The overall goal, again, being to eliminate duplication of info: prod-servers hostgroup == prod-servers netgroup... vs prod-servers hostgroup contains the same manually duplicated servers as prod-servers netgroup...
>   

The problem is that it is reverse.
Since for IPA the host groups are primary concepts and the netgroup is
something we want to phase out the logic is the following:
* Hosts are grouped into the host groups.
* A netgroup is a shallow container around the host group.
In our model host group can be a member of the netgroup not vice versa.
But this is not related to the question at hand.

The question regarding memberUser is that the sudo spec allows using a
netgroup to refer to a set of users. This is really a atavism to use
netgroups to reference a set of users instead of a direct user group.
The question is: can we assume it to be an atavism and not support it.
I updated the page so this point is more clear.



> ~users by uid and gid~
>
> If by uid/gid he means numerical representation, 
Yes this is number vs. string question.
> then I say, I wouldn't worry about it.  Fully spelled out alpha Username / Group entries seem sane.
>   

Good!
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   
Thank you for the comment. I think the only missing point is about
"negating the whole rule" instead of per command.
Do you agree that it would be more manageable as proposed?

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list