Dmitri Pal wrote:
>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any 
>> Allow-IPASudoRules ?
>>   
>>     
> So it looks like current schema would not fly well with SUDO due to SUDO
> bug/feature. SUDO will match just any first rule that satisfies the
> user-hpost-command combination but we can't guarantee that rules come in
> the same order. So there is a possibility that allow rule will come
> before deny rule in our case and will be matched.
> It is unfortunate and should be fixed by SUDO. In a meantime we need to
> alter the schema to be able to express allowed and not allowed commands
> in one rule.
> It will be up to the admin to know the limitations of SUDO based on the
> documentation we provide and construct the rules in a non contradicting
> way. We might be able to add some nice checks in future.
>
> So here is current schema:
>
> objectClasses: (2.16.840.1.113730.3.8.8.TBD 
>                 NAME 'ipaSudoRule' 
>                 SUP ipaAssociation 
>                 STRUCTURAL 
>                 MUST accessRuleType
>                 MAY ( externalUser $ 
>                       externalHost $ hostMask $ 
>                       memberCmd $ cmdCategory $
>                       ipaSudoOpt $
>                       ipaSudoRunAs $ ipaSudoRunAsExtUser $ 
> ipaSudoRunAsUserCategory $
>                       ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ 
> ipaSudoRunAsGroupCategory ) 
>                 X-ORIGIN 'IPA v2' )
>
>
> We will :
> * Remove accessRuleType
> * Add memberNotCmd same a memberCmd
>
> attributeTypes: (2.16.840.1.113730.3.8.7.TBD 
>                  NAME 'memberNotCmd' 
>                  DESC 'Reference to a command or group of the commands that 
> is not allowed.' 
>                  SUP distinguishedName 
>                  EQUALITY distinguishedNameMatch 
>                  ORDERING distinguishedNameMatch 
>                  SUBSTR distinguishedNameMatch 
>                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
>                  X-ORIGIN 'IPA v2' )
>
>
> The logic then will be:
> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
> no command is allowed
> * If cmdCategory is specified (only value is "all") all other attributes
> are ignored and all commands are allowed
> * If cmdCategory is not specified
>      * If memberCmd is specified it defines commands or groups of the
> commands that are allowed
>      * If memberNotCmd is specified it defines commands or groups of the
> commands that are not allowed
>      Both attributes are allowed at the same time defining allowed and
> not allowed commands within the same rule.
>
> This does not solve the problem fully but at least gets us into the same
> boat as current SUDO schema.
>
> Comments welcome!
> If there are no objections by end of Friday I will craft a patch over
> the weekend.
>
> Thanks
> Dmitri
>
>
>   

I updated the wiki and implemented the change.
Patch is attached.



> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

From 099e2660b97e42bba9e72d6b0c12e2975c883fc1 Mon Sep 17 00:00:00 2001
From: Dmitri Pal <d...@redhat.com>
Date: Sun, 3 Oct 2010 13:09:34 -0400
Subject: [PATCH] [SUDO] Allow and deny commands in one rule

1) Added new attribute memberDenyCommand
2) Renamed memberCmd to memberAllowCmd
3) Changed the object class:
 * removed type
 * reflected the rename change
 * added the new attribute
4) Renumbered the attributes (while we still can) for consistency.
---
 install/share/60sudo.ldif |   30 ++++++++++++++++--------------
 1 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/install/share/60sudo.ldif b/install/share/60sudo.ldif
index d8db306f2e24b1d744a85707849fe1162b2c78e1..d7080859be12abd7b1f27a5f9cbeebee44af8969 100644
--- a/install/share/60sudo.ldif
+++ b/install/share/60sudo.ldif
@@ -6,30 +6,32 @@ dn: cn=schema
 ## ObjectClasses:       2.16.840.1.113730.3.8.8.x
 ##
 ## Attribute to store DN of a SUDO command or a group of SUDO commands
-attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberCmd' DESC 'Reference to a command or group of the commands.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of the commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
 ## Attribute to store command category
-attributeTypes: (2.16.840.1.113730.3.8.7.2 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributetypes: (2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of the commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+## Attribute to store command category
+attributeTypes: (2.16.840.1.113730.3.8.7.3 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Attribute to store user not managed by the central server
-attributetypes: (2.16.840.1.113730.3.8.7.3 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Attribute to store sudo options
-attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' )
+attributetypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' )
 ## Attribute to store the reference identity under which the command should be run
-attributeTypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' )
 ## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity.
-attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Attribute to express category of identities that the command can be run under
-attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' )
 ## Attribute to store a reference to the "run as group" identitity
-attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' )
 ## Attribute to store a name of the "run as group" identitity if this group is not directly managed by IPA
-attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Attribute to express category of group identities that the command can be run under
-attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' )
 ## Attribute to store host mask
-attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Object class for SUDO rules
-objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' )
 ## Object class for SUDO commands
-objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY  ( description ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY  ( memberOf $ description ) X-ORIGIN 'IPA v2' )
 ## Object class for groups of the SUDO commands
-objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfUniqueNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
-- 
1.5.5.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to