[Freeipa-devel] [PATCH] 0032 Validate sudo RunAsUser/RunAsGroup arguments
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 12 22:55:36 UTC 2011
On Mon, 12 Dec 2011, Rob Crittenden wrote:
> >>actual members, it treats it as a no-op. We should probably be
> >>consistent.
> >Don't understand. Did you mean 'to not provide any actual members'?
> >
> >In case you did, attached patch removes remaining checks for
> >runas_{user,group) to be False.
> >
> >
> >>It would probably be better to return the value as passed in by the
> >>user rather than user[0].value.
> >The issue here is that names come to the callback already as DNs from
> >LDAPAddMember's execute() method. Strictly speaking it is already
> >different to what user has entered as we do expansion by default to
> >add $SUFFIX and appropriate container.
> >
> >In the updated patch I tried to reduce DN to something reasonable by
> >relying on known containers and only showing full DN for cases when
> >these are not users/groups containers.
> >
>
> ACK on this patch.
>
> Do we need to add similar to HBAC plugin and sudorule-add-user,
> add-command, etc?
I was thinking about it as well, probably makes sense, indeed. What
about reduction code to be a method of DN itself?
Something like
class DN:
def relative_to(self, env, cn_name):
try:
cn_ = 'container_%s' % (cn_name)
if cn_ in env:
cn = DN(env[cn_])+DN(env.basedn)
else:
return self
except:
return self
if self.endswith(cn):
return self[0].value
return self
print dn.relative_to(env, 'user')
If this is acceptable, I can do refactoring in a different ticket.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list