[Freeipa-devel] Sudo Schema Bug/Feature

Rob Crittenden rcritten at redhat.com
Wed Oct 6 01:39:00 UTC 2010


JR Aquino wrote:
> On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
>
>> Dmitri Pal wrote:
>>> Dmitri Pal wrote:
>>>> Dmitri Pal wrote:
>>>>
>>>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ?
>>>>>>
>>>>>>
>>>>>>
>>>>> So it looks like current schema would not fly well with SUDO due to SUDO
>>>>> bug/feature. SUDO will match just any first rule that satisfies the
>>>>> user-hpost-command combination but we can't guarantee that rules come in
>>>>> the same order. So there is a possibility that allow rule will come
>>>>> before deny rule in our case and will be matched.
>>>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to
>>>>> alter the schema to be able to express allowed and not allowed commands
>>>>> in one rule.
>>>>> It will be up to the admin to know the limitations of SUDO based on the
>>>>> documentation we provide and construct the rules in a non contradicting
>>>>> way. We might be able to add some nice checks in future.
>>>>>
>>>>> So here is current schema:
>>>>>
>>>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD
>>>>>                  NAME 'ipaSudoRule'
>>>>>                  SUP ipaAssociation
>>>>>                  STRUCTURAL
>>>>>                  MUST accessRuleType
>>>>>                  MAY ( externalUser $
>>>>>                        externalHost $ hostMask $
>>>>>                        memberCmd $ cmdCategory $
>>>>>                        ipaSudoOpt $
>>>>>                        ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $
>>>>>                        ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory )
>>>>>                  X-ORIGIN 'IPA v2' )
>>>>>
>>>>>
>>>>> We will :
>>>>> * Remove accessRuleType
>>>>> * Add memberNotCmd same a memberCmd
>>>>>
>>>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD
>>>>>                   NAME 'memberNotCmd'
>>>>>                   DESC 'Reference to a command or group of the commands that is not allowed.'
>>>>>                   SUP distinguishedName
>>>>>                   EQUALITY distinguishedNameMatch
>>>>>                   ORDERING distinguishedNameMatch
>>>>>                   SUBSTR distinguishedNameMatch
>>>>>                   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>>>>                   X-ORIGIN 'IPA v2' )
>>>>>
>>>>>
>>>>> The logic then will be:
>>>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
>>>>> no command is allowed
>>>>> * If cmdCategory is specified (only value is "all") all other attributes
>>>>> are ignored and all commands are allowed
>>>>> * If cmdCategory is not specified
>>>>>       * If memberCmd is specified it defines commands or groups of the
>>>>> commands that are allowed
>>>>>       * If memberNotCmd is specified it defines commands or groups of the
>>>>> commands that are not allowed
>>>>>       Both attributes are allowed at the same time defining allowed and
>>>>> not allowed commands within the same rule.
>>>>>
>>>>> This does not solve the problem fully but at least gets us into the same
>>>>> boat as current SUDO schema.
>>>>>
>>>>> Comments welcome!
>>>>> If there are no objections by end of Friday I will craft a patch over
>>>>> the weekend.
>>>>>
>>>>> Thanks
>>>>> Dmitri
>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> I updated the wiki and implemented the change.
>>>> Patch is attached.
>>>>
>>>>
>>>>
>>>>
>>>
>>> Rebased patch attached.
>>
>> ack, pushed to master.
>>
>> JR, can you fix up the sudo plugins to match this new schema?
>>
>> thanks
>>
>> rob
>
>
> Attached is the patch for modifications to sudorule and its test suite to accommodate the schema redesign.
>
> We now create allow rules or deny rules and no longer reference accessruletype.
>

ack, pushed to master.

The -del tests are still failing but I confirmed that with Pavel's 
patches these tests pass. Those patches just need a little more work.

rob




More information about the Freeipa-devel mailing list