[Freeipa-devel] Sudo Schema Bug/Feature

Dmitri Pal dpal at redhat.com
Sun Oct 3 17:13:00 UTC 2010 

Dmitri Pal wrote:
>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ?
>>   
>>     
> So it looks like current schema would not fly well with SUDO due to SUDO
> bug/feature. SUDO will match just any first rule that satisfies the
> user-hpost-command combination but we can't guarantee that rules come in
> the same order. So there is a possibility that allow rule will come
> before deny rule in our case and will be matched.
> It is unfortunate and should be fixed by SUDO. In a meantime we need to
> alter the schema to be able to express allowed and not allowed commands
> in one rule.
> It will be up to the admin to know the limitations of SUDO based on the
> documentation we provide and construct the rules in a non contradicting
> way. We might be able to add some nice checks in future.
>
> So here is current schema:
>
> objectClasses: (2.16.840.1.113730.3.8.8.TBD 
>                 NAME 'ipaSudoRule' 
>                 SUP ipaAssociation 
>                 STRUCTURAL 
>                 MUST accessRuleType
>                 MAY ( externalUser $ 
>                       externalHost $ hostMask $ 
>                       memberCmd $ cmdCategory $
>                       ipaSudoOpt $
>                       ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $
>                       ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) 
>                 X-ORIGIN 'IPA v2' )
>
>
> We will :
> * Remove accessRuleType
> * Add memberNotCmd same a memberCmd
>
> attributeTypes: (2.16.840.1.113730.3.8.7.TBD 
>                  NAME 'memberNotCmd' 
>                  DESC 'Reference to a command or group of the commands that is not allowed.' 
>                  SUP distinguishedName 
>                  EQUALITY distinguishedNameMatch 
>                  ORDERING distinguishedNameMatch 
>                  SUBSTR distinguishedNameMatch 
>                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
>                  X-ORIGIN 'IPA v2' )
>
>
> The logic then will be:
> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
> no command is allowed
> * If cmdCategory is specified (only value is "all") all other attributes
> are ignored and all commands are allowed
> * If cmdCategory is not specified
>      * If memberCmd is specified it defines commands or groups of the
> commands that are allowed
>      * If memberNotCmd is specified it defines commands or groups of the
> commands that are not allowed
>      Both attributes are allowed at the same time defining allowed and
> not allowed commands within the same rule.
>
> This does not solve the problem fully but at least gets us into the same
> boat as current SUDO schema.
>
> Comments welcome!
> If there are no objections by end of Friday I will craft a patch over
> the weekend.
>
> Thanks
> Dmitri
>
>
>   

I updated the wiki and implemented the change.
Patch is attached.



> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001--SUDO-Allow-and-deny-commands-in-one-rule.patch
Type: text/x-patch
Size: 8626 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101003/06c80688/attachment.bin>

More information about the Freeipa-devel mailing list