Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1066572
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem:
In IdM, we can not set up a Sudo Rule which can be runned as a External
Group. Whereas we can set external users but can't set external groups.
I did few tests and this indeed does not work even though SSSD/sudo supports it:
I also test this feature and this is a gap on FreeIPA side. When I manually edited ou=sudoers and added a local group (vmusers), SSSD and sudo was able to process it:
uid=932000000(admin) gid=932000000(admins) groups=932000000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ sudo -l
User admin may run the following commands on this host:
(tuser, %foo, %vmusers : wheel) /usr/bin/less
foo is FreeIPA group with "fbar" as a group member, vmusers is a local group with "mkosek" as a group member. I was able to run the SUDO command as all tuser, fbar and mkosek users:
$ sudo -u mkosek /usr/bin/less /etc/passwd
... reads the file
We will need to:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1080844
Another ticket with missing sudo functionality: #4274
Patch is already on review - Tomas forgot to switch the flag.
pushed to master as part of sudorule enhancements:
Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06
to comment on this ticket.