[Freeipa-devel] [PATCH] 0032 Validate sudo RunAsUser/RunAsGroup arguments

Alexander Bokovoy abokovoy at redhat.com
Mon Dec 12 22:55:36 UTC 2011


On Mon, 12 Dec 2011, Rob Crittenden wrote:
> >>actual members, it treats it as a no-op. We should probably be
> >>consistent.
> >Don't understand. Did you mean 'to not provide any actual members'?
> >
> >In case you did, attached patch removes remaining checks for
> >runas_{user,group) to be False.
> >
> >
> >>It would probably be better to return the value as passed in by the
> >>user rather than user[0].value.
> >The issue here is that names come to the callback already as DNs from
> >LDAPAddMember's execute() method. Strictly speaking it is already
> >different to what user has entered as we do expansion by default to
> >add $SUFFIX and appropriate container.
> >
> >In the updated patch I tried to reduce DN to something reasonable by
> >relying on known containers and only showing full DN for cases when
> >these are not users/groups containers.
> >
> 
> ACK on this patch.
> 
> Do we need to add similar to HBAC plugin and sudorule-add-user,
> add-command, etc?
I was thinking about it as well, probably makes sense, indeed. What 
about reduction code to be a method of DN itself?

Something like

class DN:
    def relative_to(self, env, cn_name):
        try:
            cn_ = 'container_%s' % (cn_name)
            if cn_ in env:
                cn = DN(env[cn_])+DN(env.basedn)
            else:
                return self
         except:
            return self
         if self.endswith(cn):
             return self[0].value
         return self


print dn.relative_to(env, 'user')

If this is acceptable, I can do refactoring in a different ticket.
-- 
/ Alexander Bokovoy




More information about the Freeipa-devel mailing list