[Freeipa-devel] [PATCH] 0032 Validate sudo RunAsUser/RunAsGroup arguments

Alexander Bokovoy abokovoy at redhat.com
Thu Jan 12 13:49:46 UTC 2012 

On Thu, 15 Dec 2011, Rob Crittenden wrote:
> >If this is acceptable, I can do refactoring in a different ticket.
> 
> NACK.
> 
> We still have the value passed in by the user, right (in
> options['user'] and options['group'])? We basically take that,
> create a DN out of it, then pull the same value out. Why not skip
> all that and just look at the raw values instead?
> 
> Or there is already a helper to get the key out of a dn, see
> self.Object.user.get_primary_key_from_dn(str(group))
> 
> Also, I found this doesn't handle a list of users or groups. If you
> pass in --users=joe,all then both get added as external users
> (assuming joe doesn't already exist, of course).
Refactored the patch using original values from options[]:

$ ipa sudorule-add-runasuser testr --group=all
ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a group name
$ ipa sudorule-add-runasuser testr --group=admins,all
ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a group name
$ ipa sudorule-add-runasuser testr --user=admin,all 
ipa: ERROR: invalid 'runas-user': RunAsUser does not accept 'all' as a user name
$ ipa sudorule-add-runasgroup testr --group=admin,all 
ipa: ERROR: invalid 'runas-group': RunAsGroup does not accept 'all' as a group name

Accepts a single value or a list.

This is a patch against master (should apply to ipa-2-2 w/o issues).
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 9b11875d84b341220e299560671551d3c538f20a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 14 Nov 2011 11:23:19 +0200
Subject: [PATCH] Validate sudo RunAsUser/RunAsGroup arguments

FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.

The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL.

Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496
---
 ipalib/plugins/sudorule.py |   39 ++++++++++++++++++++++++++++++++++++++-
 1 files changed, 38 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 93ca03f0170d922b91eff45ec2f42871336973f1..65a1d8541cd52c89e7fcb7b70adccf73490bdcbc 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -472,13 +472,34 @@ class sudorule_remove_host(LDAPRemoveMember):
 
 api.register(sudorule_remove_host)
 
-
 class sudorule_add_runasuser(LDAPAddMember):
     __doc__ = _('Add users and groups for Sudo to execute as.')
 
     member_attributes = ['ipasudorunas']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'user' in options:
+            for name in options['user']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-user',
+                          error=unicode(_("RunAsUser does not accept '%(name)s' as a user name")) %
+                          dict(name=name))
+        if 'group' in options:
+            for name in options['group']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-user',
+                          error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) %
+                          dict(name=name))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the user failures. We assume that these are all
@@ -547,6 +568,22 @@ class sudorule_add_runasgroup(LDAPAddMember):
     member_attributes = ['ipasudorunasgroup']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'group' in options:
+            for name in options['group']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-group',
+                          error=unicode(_("RunAsGroup does not accept '%(name)s' as a group name")) %
+                          dict(name=name))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the group failures. We assume that these are all
-- 
1.7.8.2

More information about the Freeipa-devel mailing list