Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1333470
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: [RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it shouldn't set it to 'root' by default, rule should be invalid. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.6.1.x86_64 How reproducible: Always (with CLI and WebUI) Steps to Reproduce: 1. Login to IPA WEbUI as admin 2. Navigate to: --- Policy > Sudo > Sudo Rules > + Add --- 3. After creating a new rule, click that rule and scroll down. 4. Under "As Whom" section, in 'RunAs User' category select "Specified Users and Groups". Do NOT add any user/group. Then click 'Update' button. (Similar is case with RunAs Group category) 5. It will create rule as: --- [root@rhel7-ipa-2 ~]# ipa sudorule-show testing Rule name: testing Enabled: TRUE Host category: all Command category: all Users: tuserx [root@rhel7-ipa-2 ~]# ipa sudorule-show testing --raw --all dn: ipaUniqueID=fba5412a-12d0-11e6-afe3-52540086c195,cn=sudorules,cn=sudo,dc=example,dc=com cn: testing ipaenabledflag: TRUE hostcategory: all cmdcategory: all memberuser: uid=tuserx,cn=users,cn=accounts,dc=example,dc=com ipaUniqueID: fba5412a-12d0-11e6-afe3-52540086c195 objectClass: ipasudorule objectClass: ipaassociation [root@rhel7-ipa-2 ~]# sudo -l -U tuserx Matching Defaults entries for tuserx on this host: User tuserx may run the following commands on this host: (root) ALL <----------------- --- In sudo-rule, RunAs User is NOT defined However, user 'tuserx' will be able to run all commands as 'root'. Actual results: While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it is set to 'root' by default. Expected behaviour should be: If "specific user or group" is specified for RUNAS, but no user/group is defined, then it should not set default to root. The rule should be invalid. If "anyone" (or "runas category: all") is not set, then it should only allow defined user/groups (i.e. "runas user"). If no user/group is defined then the rule should be invalid and shouldn't be set default to root.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.