Issue #7538: sudo rule for "admins" members should be created by default - freeipa

freeipa

#7538 sudo rule for "admins" members should be created by default

Closed: fixed 5 years ago Opened 6 years ago by martinpitt.

Request for enhancement

As FreeIPA admin, I want to administer local machines enrolled into an IPA domain.

Issue

Members of the IPA admins group are considered "global admins". But they are not allowed by default to run sudo commands. This is somewhat an "unbreak my configuration" step, as IPA admins members can give this privilege to themselves. So it should just be done by default, to simplify installation and documentation.

Steps to Reproduce

First, run ipa-client-install on a fresh machine, and enroll into the realm. Then log in as admin@machine:

$ id
uid=953000000(admin) gid=953000000(admins) groups=953000000(admins) context=[...]
$ sudo whoami
[sudo] password for admin: 
admin is not allowed to run sudo on x0.  This incident will be reported.

But admin can allow it to themselves:

$ ipa sudorule-add --hostcat=all --cmdcat=all All
$ ipa sudorule-add-user --groups=admins All

Now wait a bit for the caches to expire, or reboot the computer, or log into a different machine in the same realm.

$ sudo whoami
[sudo] password for admin: 
root

So adding such a rule by default does not change any security properties of the system, just makes the setup more convenient.

Version/Release/Distribution

freeipa-server-4.6.90.pre1-6.1.fc28.x86_64

martinpitt commented 6 years ago

If it isn't desirable to do this by default for some reason, it could also become an ipa advise hint. (Thanks to @abbra for pointing this out)

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1609873

5 years ago

rcritten commented 5 years ago

Issue linked to Bugzilla: Bug 1609873

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1

5 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

5 years ago

rcritten commented 5 years ago

https://github.com/freeipa/freeipa/pull/2349

rcritten commented 5 years ago

master:

c6b3cf6 Advise plugin for enabling sudo for members of the admins group

rcritten commented 5 years ago

ipa-4-7:

5cbb0f3 Advise plugin for enabling sudo for members of the admins group

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

sorlov commented 5 years ago

Note that the RFE was to provide these sudo rules by default. We implemented this as an ipa-advise script instead, keeping the default still conservative.

The argument for adding by default was that an admin could add these rules themselves so there was no protection by the existing default, but the argument against that was this represents a big change from the previous default.

cheimes commented 5 years ago

master:

324da5c ipatests: add test for ipa-advise for enabling sudo for admins group

cheimes commented 5 years ago

ipa-4-7:

eca02e1 ipatests: add test for ipa-advise for enabling sudo for admins group

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.7.1

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1609873

tester

None

changelog

None

design

None

freeipa

Source Code

#7538 sudo rule for "admins" members should be created by default Closed: fixed 5 years ago Opened 6 years ago by martinpitt.

Request for enhancement

Issue

Steps to Reproduce

Version/Release/Distribution

Metadata

#7538 sudo rule for "admins" members should be created by default

Closed: fixed 5 years ago Opened 6 years ago by martinpitt.