#4340 Let deny commands be added to sudo rule with cmdcatetory=ALL
Closed: Fixed None Opened 8 years ago by rcritten.

One may want to allow all commands except a certain subset, like su and a set of shells.

This is currently not allowed.


Patch is already on review - Tomas forgot to switch the flag.

pushed to master as part of sudorule enhancements:

  • 5a1207c sudorule: PEP8 fixes in sudorule.py
  • a228d7a sudorule: Allow using hostmasks for setting allowed hosts
  • 9304b64 sudorule: Allow using external groups as groups of runAsUsers
  • 3a56b15 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
  • c7da22c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
  • fix: af2eb4d sudorule: Allow adding deny commands when command category set to ALL
  • 9bb88a1 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
  • a1d6c9a sudorule: Fix the order of the parameters to have less chaotic output
  • b1275c5 sudorule: Enforce category ALL checks on dirsrv level
  • d537da8 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
  • c50d190 ipatests: test_sudo: Add coverage for external entries
  • ec2050b ipatests: test_sudo: Add coverage for category ALL validation
  • e0fd269 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
  • 701f1fc ipatests: test_sudo: Do not expect enumeration of runasuser groups
  • e7969f5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
  • af4518b sudorule: Refactor add and remove external_post_callback

Metadata Update from @rcritten:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.

Metadata