[Freeipa-devel] IPA Sudo queries.
Gowrishankar Rajaiyan
gsr at redhat.com
Fri Jun 3 19:11:40 UTC 2011
Hi All,
1. While adding a runasgroup I see its entry in its ipaUniqueID
dn, however do not see it in "dn: cn=sudorule1" as it does while
adding a group using "ipa sudorule-add-runasuser rulename --groups=group1".
Not sure if this is as designed.
[root at bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1
--groups=group2
Rule name: sudorule1
Enabled: TRUE
Sudo Deny Commands: /bin/ls
Run As Group: group2
-------------------------
Number of members added 1
-------------------------
dn:
ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: sudorule1
ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b
memberDenyCmd:
sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAsExtUser: test
ipaSudoRunAsGroup:
cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <-----
# sudorule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudoCommand: !/bin/ls
sudorunasuser: test
sudorunasuser: %group1
sudorunasgroup: group1 <---- added as "ipa sudorule-add-runasuser
sudorule1 --groups=group1"
{{{sudorunasgroup: group2}}}
<------- expected here
cn: sudorule1
2. Also, would like to know the difference between the following 2 commands:
Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated
list of groups to add)
# ipa help sudorule-add-runasuser
Purpose: Add user for Sudo to execute as.
[...]
--users=LIST comma-separated list of users to add
--groups=LIST comma-separated list of groups to add
Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated
list of groups to add)
I see the following in DS after using these commands:
1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1
Rule name: rule1
Enabled: TRUE
RunAs External User: user1
-------------------------
Number of members added 2
-------------------------
In DS:
# rule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudorunasuser: user1 <------
sudorunasuser: %group1
sudorunasgroup: group1 <------
cn: rule1
# 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
lab.eng.pnq.redhat.com
dn:
ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: rule1
ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAsExtUser: user1
2. # ipa sudorule-add-runasgroup rule1 --groups=group2
Rule name: rule1
Enabled: TRUE
Run As Group: group2
-------------------------
Number of members added 1
-------------------------
In DS:
No group2 in cn=rule1
# rule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudorunasuser: user1
sudorunasuser: %group1
sudorunasgroup: group1
cn: rule1
# 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
lab.eng.pnq.redhat.com
dn:
ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: rule1
ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
<---
ipaSudoRunAsExtUser: user1
ipaSudoRunAsGroup:
cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
<----
3. Should a normal user be given privileges to view all the sudorules
and its details??? I do not think this is necessary except for host
principals and admin users. Please comment.
~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1179400003
Default principal: shanks at LAB.ENG.PNQ.REDHAT.COM
Valid starting Expires Service principal
06/03/11 09:34:33 06/04/11 09:34:28
krbtgt/LAB.ENG.PNQ.REDHAT.COM at LAB.ENG.PNQ.REDHAT.COM
06/03/11 09:34:37 06/04/11 09:34:28
HTTP/bumblebee.lab.eng.pnq.redhat.com at LAB.ENG.PNQ.REDHAT.COM
~]$ ipa sudorule-find --all
dn:
ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: sudorule1
Enabled: TRUE
Sudo Deny Commands: /bin/ls
Run As Group: group2, group1
RunAs External User: test, test1
ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
XDG_SESSION_COOKIE
ipauniqueid: 78c97b54-8d01-11e0-b6e8-525400deab7b
objectclass: ipaassociation, ipasudorule
--
Regards,
Shanks
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list