https://bugzilla.redhat.com/show_bug.cgi?id=719315
1. # ipa sudorule-add sudorule1 --------------------------- Added sudo rule "sudorule1" --------------------------- Rule name: sudorule1 Enabled: TRUE [root@bumblebee ipa-sudo]# ipa sudorule-add-host sudorule1 --hosts=bumblebee.lab.eng.pnq.redhat.com Rule name: sudorule1 Enabled: TRUE Hosts: bumblebee.lab.eng.pnq.redhat.com ------------------------- Number of members added 1 ------------------------- 2. # ipa sudorule-add-allow-command sudorule1 --sudocmds=/bin/date Rule name: sudorule1 Enabled: TRUE Hosts: bumblebee.lab.eng.pnq.redhat.com Sudo Allow Commands: /bin/date ------------------------- Number of members added 1 ------------------------- 3. # ipa sudorule-add-user sudorule1 --users=shanks,user1 Rule name: sudorule1 Enabled: TRUE Users: shanks, user1 Hosts: bumblebee.lab.eng.pnq.redhat.com Sudo Allow Commands: /bin/date ------------------------- Number of members added 2 4. # ipa sudorule-add-runasgroup sudorule1 --groups=ALL Rule name: sudorule1 Enabled: TRUE Users: shanks, user1 Hosts: bumblebee.lab.eng.pnq.redhat.com Sudo Allow Commands: /bin/date RunAs External Group: all ------------------------- Number of members added 1 ------------------------- 5. # ssh -l shanks localhost shanks@localhost's password: Last login: Wed Jul 6 12:31:17 2011 from localhost -sh-4.1$ sudo -l LDAP Config Summary =================== uri ldap://bumblebee.lab.eng.pnq.redhat.com ldap_version 3 sudoers_base ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com bindpw bind123 bind_timelimit 5000 timelimit 15 ssl no tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt tls_cacertdir /etc/ipa =================== sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacertdir -> /etc/ipa sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com sudo: ldap sudoHost 'bumblebee.lab.eng.pnq.redhat.com' ... MATCH! sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(52)=0x02 [sudo] password for shanks: sudo: ldap search '(|(sudoUser=shanks)(sudoUser=%shanks)(sudoUser=%ipausers)(sudoUser=ALL))' sudo: ldap sudoHost 'bumblebee.lab.eng.pnq.redhat.com' ... MATCH! sudo: ldap search 'sudoUser=+*' User shanks may run the following commands on this host: (root : all) /bin/date Actual results: -sh-4.1$ sudo -u root -g shanks /bin/date LDAP Config Summary =================== uri ldap://bumblebee.lab.eng.pnq.redhat.com ldap_version 3 sudoers_base ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com bindpw bind123 bind_timelimit 5000 timelimit 15 ssl no tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt tls_cacertdir /etc/ipa =================== sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacertdir -> /etc/ipa sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com sudo: ldap search '(|(sudoUser=shanks)(sudoUser=%shanks)(sudoUser=%ipausers)(sudoUser=ALL))' sudo: found:cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com sudo: ldap sudoHost 'bumblebee.lab.eng.pnq.redhat.com' ... MATCH! sudo: ldap sudoRunAsGroup 'all' ... not <<<<<<<<<<<<<<<<<<<<< sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x00 Sorry, user shanks is not allowed to execute '/bin/date' as root:shanks on bumblebee.lab.eng.pnq.redhat.com. Expected results: sudo -u root -g anyvalidgroup should be matched and the allowed command should be executed successfully. Additional info: # ipa sudorule-show sudorule1 --all --raw dn: ipauniqueid=851b07d4-a803-11e0-a947-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com cn: sudorule1 ipaenabledflag: TRUE ipasudorunasextgroup: all memberhost: fqdn=bumblebee.lab.eng.pnq.redhat.com,cn=computers,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com memberuser: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com memberuser: uid=user1,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipauniqueid: 851b07d4-a803-11e0-a947-525400deab7b memberallowcmd: sudocmd=/bin/date,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com memberindirect: fqdn=bumblebee.lab.eng.pnq.redhat.com,cn=computers,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com memberindirect: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com memberindirect: uid=user1,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectclass: ipaassociation objectclass: ipasudorule
sudorule-add-runasgroup is not designed to match --groups=ALL
The correct method for matching 'ALL' groups, is to issue:
ipa sudorule-mod --runasgroupcat=all sudorulename
I can pursue a solution in sudo compat with Nalin if Dmitri believes we should account for the misuse of --groups=ALL...
IMHO this is a misuse of all. In this case it is granting access to the external group all.
We document current behavior in man pages and docs.
I added example 12.4 that covers this scenarios:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/defining-sudorules.html#ex.sudo-runas
Metadata Update from @rcritten: - Issue assigned to elladeon - Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)
Login to comment on this ticket.