#4263 Sudo Rules: cannot setup External group as runAsUser value
Closed: Fixed None Opened 8 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1066572

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

In IdM, we  can not  set up a Sudo Rule which can be runned as a External
Group. Whereas we can set external users but can't set external groups.

I did few tests and this indeed does not work even though SSSD/sudo supports it:

I also test this feature and this is a gap on FreeIPA side. When I manually edited ou=sudoers and added a local group (vmusers), SSSD and sudo was able to process it:

$ id
uid=932000000(admin) gid=932000000(admins) groups=932000000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ sudo -l
User admin may run the following commands on this host:
    (tuser, %foo, %vmusers : wheel) /usr/bin/less

foo is FreeIPA group with "fbar" as a group member, vmusers is a local group with "mkosek" as a group member. I was able to run the SUDO command as all tuser, fbar and mkosek users:

$ sudo -u mkosek /usr/bin/less /etc/passwd
... reads the file

We will need to:

  1. Add new attribute to schema, ipaSudoRunAsExtUser allowing us to add external users and groups to SUDO RunAs
  2. Update SUDO Compat rule definition to generate the appropriate sudoRunAsUser entries in ou=sudoers,SUFFIX

Another ticket with missing sudo functionality: #4274

Patch is already on review - Tomas forgot to switch the flag.

pushed to master as part of sudorule enhancements:

  • 5a1207c sudorule: PEP8 fixes in sudorule.py
  • a228d7a sudorule: Allow using hostmasks for setting allowed hosts
  • fix: 9304b64 sudorule: Allow using external groups as groups of runAsUsers
  • 3a56b15 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
  • c7da22c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
  • af2eb4d sudorule: Allow adding deny commands when command category set to ALL
  • 9bb88a1 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
  • a1d6c9a sudorule: Fix the order of the parameters to have less chaotic output
  • b1275c5 sudorule: Enforce category ALL checks on dirsrv level
  • d537da8 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
  • c50d190 ipatests: test_sudo: Add coverage for external entries
  • ec2050b ipatests: test_sudo: Add coverage for category ALL validation
  • e0fd269 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
  • 701f1fc ipatests: test_sudo: Do not expect enumeration of runasuser groups
  • e7969f5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
  • af4518b sudorule: Refactor add and remove external_post_callback

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.