[Freeipa-devel] IPA Sudo queries.

Dmitri Pal dpal at redhat.com
Fri Jun 3 21:06:54 UTC 2011 

On 06/03/2011 03:11 PM, Gowrishankar Rajaiyan wrote:
> Hi All,
>
> 1. While adding a runasgroup I see its entry in its ipaUniqueID
> dn, however do not see it in "dn: cn=sudorule1" as it does while
> adding a group using "ipa sudorule-add-runasuser rulename
> --groups=group1".
> Not sure if this is as designed.
>
> [root at bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1
> --groups=group2
>      Rule name: sudorule1
>      Enabled: TRUE
>      Sudo Deny Commands: /bin/ls
>      Run As Group: group2
> -------------------------
> Number of members added 1
> -------------------------
>
> dn:
> ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: ipaassociation
> objectClass: ipasudorule
> ipaEnabledFlag: TRUE
> cn: sudorule1
> ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b
> memberDenyCmd:
> sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> ipaSudoRunAs:
> cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> ipaSudoRunAsExtUser: test
> ipaSudoRunAsGroup:
> cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> <-----
>
> # sudorule1, sudoers, lab.eng.pnq.redhat.com
> dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: sudoRole
> objectClass: extensibleObject
> objectClass: top
> sudoCommand: !/bin/ls
> sudorunasuser: test
> sudorunasuser: %group1
> sudorunasgroup: group1        <---- added as "ipa
> sudorule-add-runasuser sudorule1 --groups=group1"
>                                    {{{sudorunasgroup: group2}}}
> <------- expected here
> cn: sudorule1
>
>
> 2. Also, would like to know the difference between the following 2
> commands:
>
>
>  Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated
> list of groups to add)
> # ipa help sudorule-add-runasuser
> Purpose: Add user for Sudo to execute as.
> [...]
> --users=LIST comma-separated list of users to add
> --groups=LIST comma-separated list of groups to add
>
>
>  Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated
> list of groups to add)
>
>
> I see the following in DS after using these commands:
>  1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1
>     Rule name: rule1
>     Enabled: TRUE
>     RunAs External User: user1
>  -------------------------
>  Number of members added 2
>  -------------------------
>
>  In DS:
>  # rule1, sudoers, lab.eng.pnq.redhat.com
>  dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  objectClass: sudoRole
>  objectClass: extensibleObject
>  objectClass: top
>  sudorunasuser: user1                <------
>  sudorunasuser: %group1
>  sudorunasgroup: group1             <------
>  cn: rule1
>
>  # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
> lab.eng.pnq.redhat.com
>  dn:
> ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  objectClass: ipaassociation
>  objectClass: ipasudorule
>  ipaEnabledFlag: TRUE
>  cn: rule1
>  ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
>  ipaSudoRunAs:
> cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  ipaSudoRunAsExtUser: user1
>
>
>  2. # ipa sudorule-add-runasgroup rule1  --groups=group2
>    Rule name: rule1
>    Enabled: TRUE
>    Run As Group: group2
>  -------------------------
>  Number of members added 1
>  -------------------------
>
>  In DS:
>  No group2 in cn=rule1
>
>  # rule1, sudoers, lab.eng.pnq.redhat.com
>  dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  objectClass: sudoRole
>  objectClass: extensibleObject
>  objectClass: top
>  sudorunasuser: user1
>  sudorunasuser: %group1
>  sudorunasgroup: group1
>  cn: rule1
>
>  # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
> lab.eng.pnq.redhat.com
>  dn:
> ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  objectClass: ipaassociation
>  objectClass: ipasudorule
>  ipaEnabledFlag: TRUE
>  cn: rule1
>  ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
>  ipaSudoRunAs:
>  cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  <---
>  ipaSudoRunAsExtUser: user1
>  ipaSudoRunAsGroup:
>  cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  <----
>
>
> 3. Should a normal user be given privileges to view all the sudorules
> and its details??? I do not think this is necessary except for host
> principals and admin users. Please comment.
> ~]$ klist
>  Ticket cache: FILE:/tmp/krb5cc_1179400003
>  Default principal: shanks at LAB.ENG.PNQ.REDHAT.COM
>
>  Valid starting Expires Service principal
>  06/03/11 09:34:33 06/04/11 09:34:28
>  krbtgt/LAB.ENG.PNQ.REDHAT.COM at LAB.ENG.PNQ.REDHAT.COM
>  06/03/11 09:34:37 06/04/11 09:34:28
>  HTTP/bumblebee.lab.eng.pnq.redhat.com at LAB.ENG.PNQ.REDHAT.COM
>
> ~]$ ipa sudorule-find --all
>  dn:
> ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
>  Rule name: sudorule1
>  Enabled: TRUE
>  Sudo Deny Commands: /bin/ls
>  Run As Group: group2, group1
>  RunAs External User: test, test1
>  ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE
>  LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
>  LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
>  XDG_SESSION_COOKIE
>  ipauniqueid: 78c97b54-8d01-11e0-b6e8-525400deab7b
>  objectclass: ipaassociation, ipasudorule
>

Jr, it looks like there are more things related to the SUDO plugin.
We will create tickets and assign some of them to you.
We will see what we can do to help you out in addressing them.
But do not be surprised to see more tickets coming your way.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list