https://fedorahosted.org/freeipa/ticket/1440 made it so you couldn't add commands, users, etc if a category is set to ALL but it fails to check for existing commands, users, etc when setting the category to ALL.
For example, you cannot do this:
ipa sudorule-add test --cmdcat=all ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less
But you can do this:
ipa sudorule-add test2 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less ipa sudorule-mod test2 --cmdcat=all
This should be coordinated with https://fedorahosted.org/freeipa/ticket/4340 because this is the workaround for that.
Maybe I'm not reading the ticket correctly, but this works for me:
[tbabej@vm-223 ~]$ ipa sudocmd-add /usr/bin/less ---------------------------------- Added Sudo Command "/usr/bin/less" ---------------------------------- Sudo Command: /usr/bin/less [tbabej@vm-223 ~]$ ipa sudorule-add test2 ----------------------- Added Sudo Rule "test2" ----------------------- Rule name: test2 Enabled: TRUE [tbabej@vm-223 ~]$ ipa sudorule-add-allow-command test2 --sudocmds=/usr/bin/less Rule name: test2 Enabled: TRUE Sudo Allow Commands: /usr/bin/less ------------------------- Number of members added 1 ------------------------- [tbabej@vm-223 ~]$ ipa sudorule-mod test2 --cmdcat=all ipa: ERROR: command category cannot be set to 'all' while there are allow or deny commands
But there are other things we do not check for, for example external users:
[tbabej@vm-223 ~]$ ipa sudorule-add-user test2 --users notinipa Rule name: test2 Enabled: TRUE Sudo Allow Commands: /usr/bin/less External User: notinipa ------------------------- Number of members added 1 ------------------------- [tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all -------------------------- Modified Sudo Rule "test2" -------------------------- Rule name: test2 Enabled: TRUE User category: all Sudo Allow Commands: /usr/bin/less External User: notinipa
The issue described in the ticket works only for the deny commands (as was correctly reported by the user but generalized without investigation in the ticket description):
[tbabej@vm-223 ~]$ ipa sudorule-add-deny-command test2 --sudocmds=/usr/bin/less Rule name: test2 Enabled: TRUE Sudo Deny Commands: /usr/bin/less ------------------------- Number of members added 1 ------------------------- [tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all -------------------------- Modified Sudo Rule "test2" -------------------------- Rule name: test2 Enabled: TRUE User category: all Sudo Deny Commands: /usr/bin/less External User: notinipa
Starting review
pushed to master as part of sudorule enhancements:
This effort was fixed as part of 4.0 release. Fixing the milestone.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1113918
Metadata Update from @rcritten: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Login to comment on this ticket.