Sudo should be included in the deny acis that currently protect roles and hbac from anonymously bound users.
It has been suggested that a small management script would be ideal to disable this security security feature in that ou=SUDOers will be accessed by nss_ldap, it is possible that users could wish to access this with an anonymous bind, eg: Solaris, HP, etc.
Patch should provide:
- ACI to protect cn=sudo,$SUFFIX - ACI to protect ou=SUDOers,$SUFFIX - Management tool to remove ACI for ou=SUDOers,$SUFFIX
I thought we talked about this and decided that it is better to leave it open, right? I am not against a tool to close/open access if needed.
May be it should be something like: - ipa anonymous-access [ --enable|--disable|--status] [sudo |hbac | role]
The command would add or remove corresponding ACIs that control anonymous access. Does this make sense?
Also suggest to move it to 2.1 for now and triage there later.
We will track an enhancement to manage the anonymous access via a special command option. I will open another ticket to add aci for sudo.
Replying to [comment:1 dpal]:
I thought we talked about this and decided that it is better to leave it open, right? I am not against a tool to close/open access if needed. May be it should be something like: * ipa anonymous-access [ --enable|--disable|--status] [sudo |hbac | role] The command would add or remove corresponding ACIs that control anonymous access. Does this make sense? Also suggest to move it to 2.1 for now and triage there later.
May be it should be something like: * ipa anonymous-access [ --enable|--disable|--status] [sudo |hbac | role]
Negative.
By default the ACI's were decided to prohibit anonymous access. On a standalone system /etc/sudoers is set to root:root with 440. Sudo Information is critical security information that should be treated at a similar level to passwords in terms of protections.
A binduser is instead suggested as a means to accommodate sudo, and it is written into the beginnings of the documentation.
I am moving it to 3.1. JR you are welcome to contribute at any moment. If you do it within the 3.0 timeframe we will pull it in.
We will be able to change visibility of containers like this one when Permission V2 feature worked on in #3566 is complete.
Access to sudo objects can be now controlled via managed permissions:
master: 7786ff6
See #3566 for details.
This is a subtask of #1313.
Metadata Update from @jraquino: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Login to comment on this ticket.