URL: https://github.com/freeipa/freeipa/pull/2357 Author: rcritten Title: #2357: [Backport][ipa-4-7] Advise plugin for enabling sudo for members of the admins group Action: opened
PR body: """ This PR was opened automatically because PR #2349 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2357/head:pr2357 git checkout pr2357
From 813897801a36d2d0c1aff2dd7f316487bc6641f3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 10 Sep 2018 10:32:37 -0400 Subject: [PATCH] Advise plugin for enabling sudo for members of the admins group Create HBAC and a sudo rule for allowing members of the admins group to run sudo on all enrolled hosts. https://pagure.io/freeipa/issue/7538 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/advise/plugins/admins_sudo.py | 63 +++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ipaserver/advise/plugins/admins_sudo.py diff --git a/ipaserver/advise/plugins/admins_sudo.py b/ipaserver/advise/plugins/admins_sudo.py new file mode 100644 index 0000000000..c9943a74c2 --- /dev/null +++ b/ipaserver/advise/plugins/admins_sudo.py @@ -0,0 +1,63 @@ +# +# Copyright (C) 2018 FreeIPA Contributors see COPYING for license +# + +from __future__ import absolute_import + +from ipalib.plugable import Registry +from ipaserver.advise.base import Advice + +register = Registry() + + +@register() +class enable_admins_sudo(Advice): + """ + Configures HBAC and SUDO for members of the admins group + """ + + description = ("Instructions for enabling HBAC and unauthenticated " + "SUDO for members of the admins group.") + + def check_ccache_not_empty(self): + self.log.comment('Check whether the credential cache is not empty') + self.log.exit_on_failed_command( + 'klist', + [ + "Credential cache is empty", + 'Use kinit as privileged user to obtain Kerberos credentials' + ]) + + def create_hbac_rule(self): + self.log.comment('Create the HBAC rule for sudo') + self.log.exit_on_failed_command( + 'err=$(ipa hbacrule-add --hostcat=all --desc "Allow admins ' + 'to run sudo on all hosts" admins_sudo 2>&1)', + ['Failed to add hbac rule: ${err}']) + self.log.command('ipa hbacrule-add-user --groups=admins admins_sudo') + self.log.command( + 'ipa hbacrule-add-service --hbacsvcs=sudo admins_sudo' + ) + + def create_sudo_rule(self): + self.log.comment('Create the SUDO rule for the admins group') + self.log.exit_on_failed_command( + 'err=$(ipa sudorule-add --desc "Allow admins to run any command ' + 'on any host" --hostcat=all --cmdcat=all admins_all ' + '2>&1)', + ['Failed to add sudo rule: ${err}']) + self.log.command('ipa sudorule-add-user --groups=admins admins_all') + + def get_info(self): + self.check_ccache_not_empty() + with self.log.if_branch( + 'ipa hbacrule-show admins_sudo > /dev/null 2>&1'): + self.log.command('echo HBAC rule admins_sudo already exists') + with self.log.else_branch(): + self.create_hbac_rule() + + with self.log.if_branch( + 'ipa sudorule-show admins_all > /dev/null 2>&1'): + self.log.command('echo SUDO rule admins_all already exists') + with self.log.else_branch(): + self.create_sudo_rule()
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org