Issue #4341: Setting a sudo category to all doesn't check to see if rules already exist - freeipa

freeipa

#4341 Setting a sudo category to all doesn't check to see if rules already exist

Closed: Fixed None Opened 9 years ago by rcritten.

https://fedorahosted.org/freeipa/ticket/1440 made it so you couldn't add commands, users, etc if a category is set to ALL but it fails to check for existing commands, users, etc when setting the category to ALL.

For example, you cannot do this:

 ipa sudorule-add test --cmdcat=all
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less

But you can do this:

 ipa sudorule-add test2
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less
 ipa sudorule-mod test2 --cmdcat=all

This should be coordinated with https://fedorahosted.org/freeipa/ticket/4340 because this is the workaround for that.

tbabej commented 9 years ago

Maybe I'm not reading the ticket correctly, but this works for me:

[tbabej@vm-223 ~]$ ipa sudocmd-add /usr/bin/less
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
  Sudo Command: /usr/bin/less
[tbabej@vm-223 ~]$ ipa sudorule-add test2
-----------------------
Added Sudo Rule "test2"
-----------------------
  Rule name: test2
  Enabled: TRUE
[tbabej@vm-223 ~]$ ipa sudorule-add-allow-command test2 --sudocmds=/usr/bin/less
  Rule name: test2
  Enabled: TRUE
  Sudo Allow Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --cmdcat=all
ipa: ERROR: command category cannot be set to 'all' while there are allow or deny commands

tbabej commented 9 years ago

But there are other things we do not check for, for example external users:

[tbabej@vm-223 ~]$ ipa sudorule-add-user test2 --users notinipa
  Rule name: test2
  Enabled: TRUE
  Sudo Allow Commands: /usr/bin/less
  External User: notinipa
-------------------------
Number of members added 1
-------------------------
[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all
--------------------------
Modified Sudo Rule "test2"
--------------------------
  Rule name: test2
  Enabled: TRUE
  User category: all
  Sudo Allow Commands: /usr/bin/less
  External User: notinipa

tbabej commented 9 years ago

The issue described in the ticket works only for the deny commands (as was correctly reported by the user but generalized without investigation in the ticket description):

[tbabej@vm-223 ~]$ ipa sudorule-add-deny-command test2 --sudocmds=/usr/bin/less
  Rule name: test2
  Enabled: TRUE
  Sudo Deny Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------

[tbabej@vm-223 ~]$ ipa sudorule-mod test2 --usercat=all
--------------------------
Modified Sudo Rule "test2"
--------------------------
  Rule name: test2
  Enabled: TRUE
  User category: all
  Sudo Deny Commands: /usr/bin/less
  External User: notinipa

pviktori commented 9 years ago

Starting review

pviktori commented 9 years ago

pushed to master as part of sudorule enhancements:

5a1207c sudorule: PEP8 fixes in sudorule.py
a228d7a sudorule: Allow using hostmasks for setting allowed hosts
9304b64 sudorule: Allow using external groups as groups of runAsUsers
3a56b15 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
c7da22c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
af2eb4d sudorule: Allow adding deny commands when command category set to ALL
fix: 9bb88a1 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
a1d6c9a sudorule: Fix the order of the parameters to have less chaotic output
b1275c5 sudorule: Enforce category ALL checks on dirsrv level
d537da8 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
c50d190 ipatests: test_sudo: Add coverage for external entries
ec2050b ipatests: test_sudo: Add coverage for category ALL validation
e0fd269 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
701f1fc ipatests: test_sudo: Do not expect enumeration of runasuser groups
e7969f5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
af4518b sudorule: Refactor add and remove external_post_callback

mkosek commented 9 years ago

This effort was fixed as part of 4.0 release. Fixing the milestone.

mkosek commented 9 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1113918

Metadata Update from @rcritten:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

7 years ago

Metadata

Assignee

tbabej

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 - 2014/06

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

4340

on_review

keywords

None

test_coverage

None

reviewer

pviktori

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1113918

tester

None

changelog

None

design

None

freeipa

Source Code

#4341 Setting a sudo category to all doesn't check to see if rules already exist Closed: Fixed None Opened 9 years ago by rcritten.

Metadata

#4341 Setting a sudo category to all doesn't check to see if rules already exist

Closed: Fixed None Opened 9 years ago by rcritten.