Issue #5877: [RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it should notify that default is root - freeipa

freeipa

#5877 [RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it should notify that default is root

Opened 7 years ago by pvoborni. Modified 7 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1333470

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
[RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it
shouldn't set it to 'root' by default, rule should be invalid.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.6.1.x86_64

How reproducible:
Always (with CLI and WebUI)


Steps to Reproduce:
1. Login to IPA WEbUI as admin

2. Navigate to:
---
Policy > Sudo > Sudo Rules > + Add
---

3. After creating a new rule, click that rule and scroll down.

4. Under "As Whom" section, in 'RunAs User' category select "Specified Users
and Groups". Do NOT add any user/group. Then click 'Update' button.
(Similar is case with RunAs Group category)

5. It will create rule as:
---
[root@rhel7-ipa-2 ~]# ipa sudorule-show testing
  Rule name: testing
  Enabled: TRUE
  Host category: all
  Command category: all
  Users: tuserx

[root@rhel7-ipa-2 ~]# ipa sudorule-show testing --raw --all
  dn: ipaUniqueID=fba5412a-12d0-11e6-afe3-52540086c195,cn=sudorules,cn=sudo,dc=example,dc=com
  cn: testing
  ipaenabledflag: TRUE
  hostcategory: all
  cmdcategory: all
  memberuser: uid=tuserx,cn=users,cn=accounts,dc=example,dc=com
  ipaUniqueID: fba5412a-12d0-11e6-afe3-52540086c195
  objectClass: ipasudorule
  objectClass: ipaassociation

[root@rhel7-ipa-2 ~]# sudo -l -U tuserx
Matching Defaults entries for tuserx on this host:

User tuserx may run the following commands on this host:
    (root) ALL   <-----------------
---
In sudo-rule, RunAs User is NOT defined
However, user 'tuserx' will be able to run all commands as 'root'.

Actual results:
While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it is set
to 'root' by default.

Expected behaviour should be:
If "specific user or group" is specified for RUNAS, but no user/group is
defined, then it should not set default to root.
The rule should be invalid.

If "anyone" (or "runas category: all") is not set, then it should only allow
defined user/groups (i.e. "runas user").
If no user/group is defined then the rule should be invalid and shouldn't be
set default to root.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1333470

tester

None

changelog

None

design

None

freeipa

Source Code

#5877 [RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it should notify that default is root Opened 7 years ago by pvoborni. Modified 7 years ago

Close issue as:

Metadata

#5877 [RFE] While defining sudorule in IPA, if 'ipaSudoRunAs' is NOT defined then it should notify that default is root

Opened 7 years ago by pvoborni. Modified 7 years ago