#4341 Setting a sudo category to all doesn't check to see if rules already exist
Closed: Fixed None Opened 8 years ago by rcritten.

https://fedorahosted.org/freeipa/ticket/1440 made it so you couldn't add commands, users, etc if a category is set to ALL but it fails to check for existing commands, users, etc when setting the category to ALL.

For example, you cannot do this:

 ipa sudorule-add test --cmdcat=all
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less

But you can do this:

 ipa sudorule-add test2
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less
 ipa sudorule-mod test2 --cmdcat=all

This should be coordinated with https://fedorahosted.org/freeipa/ticket/4340 because this is the workaround for that.


Maybe I'm not reading the ticket correctly, but this works for me:

[tbabej@vm-223 ~]$ ipa sudocmd-add /usr/bin/less
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
  Sudo Command: /usr/bin/less
[tbabej@vm-223 ~]$ ipa sudorule-add test2
-----------------------
Added Sudo Rule "test2"
-----------------------
  Rule name: test2
  Enabled: TRUE
[tbabej@vm-223 ~]$ ipa sudorule-add-allow-command test2 --sudocmds=/usr/bin/less
  Rule name: test2
  Enabled: TRUE
  Sudo Allow Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --cmdcat=all
ipa: ERROR: command category cannot be set to 'all' while there are allow or deny commands

But there are other things we do not check for, for example external users:

[tbabej@vm-223 ~]$ ipa sudorule-add-user test2 --users notinipa
  Rule name: test2
  Enabled: TRUE
  Sudo Allow Commands: /usr/bin/less
  External User: notinipa
-------------------------
Number of members added 1
-------------------------
[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all
--------------------------
Modified Sudo Rule "test2"
--------------------------
  Rule name: test2
  Enabled: TRUE
  User category: all
  Sudo Allow Commands: /usr/bin/less
  External User: notinipa

The issue described in the ticket works only for the deny commands (as was correctly reported by the user but generalized without investigation in the ticket description):

[tbabej@vm-223 ~]$ ipa sudorule-add-deny-command test2 --sudocmds=/usr/bin/less
  Rule name: test2
  Enabled: TRUE
  Sudo Deny Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------

[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all
--------------------------
Modified Sudo Rule "test2"
--------------------------
  Rule name: test2
  Enabled: TRUE
  User category: all
  Sudo Deny Commands: /usr/bin/less
  External User: notinipa

pushed to master as part of sudorule enhancements:

  • 5a1207c sudorule: PEP8 fixes in sudorule.py
  • a228d7a sudorule: Allow using hostmasks for setting allowed hosts
  • 9304b64 sudorule: Allow using external groups as groups of runAsUsers
  • 3a56b15 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
  • c7da22c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
  • af2eb4d sudorule: Allow adding deny commands when command category set to ALL
  • fix: 9bb88a1 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
  • a1d6c9a sudorule: Fix the order of the parameters to have less chaotic output
  • b1275c5 sudorule: Enforce category ALL checks on dirsrv level
  • d537da8 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
  • c50d190 ipatests: test_sudo: Add coverage for external entries
  • ec2050b ipatests: test_sudo: Add coverage for category ALL validation
  • e0fd269 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
  • 701f1fc ipatests: test_sudo: Do not expect enumeration of runasuser groups
  • e7969f5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
  • af4518b sudorule: Refactor add and remove external_post_callback

This effort was fixed as part of 4.0 release. Fixing the milestone.

Metadata Update from @rcritten:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.

Metadata