Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command combination but we can't guarantee that rules come in
the same order. So there is a possibility that allow rule will come
before deny rule in our case and will be matched.
It is unfortunate and should be fixed by SUDO. In a meantime we need to
alter the schema to be able to express allowed and not allowed commands
in one rule.
It will be up to the admin to know the limitations of SUDO based on the
documentation we provide and construct the rules in a non contradicting
way. We might be able to add some nice checks in future.
So here is current schema:
objectClasses: (2.16.840.1.113730.3.8.8.TBD
NAME 'ipaSudoRule'
SUP ipaAssociation
STRUCTURAL
MUST accessRuleType
MAY ( externalUser $
externalHost $ hostMask $
memberCmd $ cmdCategory $
ipaSudoOpt $
ipaSudoRunAs $ ipaSudoRunAsExtUser $
ipaSudoRunAsUserCategory $
ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $
ipaSudoRunAsGroupCategory )
X-ORIGIN 'IPA v2' )
We will :
* Remove accessRuleType
* Add memberNotCmd same a memberCmd
attributeTypes: (2.16.840.1.113730.3.8.7.TBD
NAME 'memberNotCmd'
DESC 'Reference to a command or group of the commands that is
not allowed.'
SUP distinguishedName
EQUALITY distinguishedNameMatch
ORDERING distinguishedNameMatch
SUBSTR distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
X-ORIGIN 'IPA v2' )
The logic then will be:
* If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
no command is allowed
* If cmdCategory is specified (only value is "all") all other attributes
are ignored and all commands are allowed
* If cmdCategory is not specified
* If memberCmd is specified it defines commands or groups of the
commands that are allowed
* If memberNotCmd is specified it defines commands or groups of the
commands that are not allowed
Both attributes are allowed at the same time defining allowed and
not allowed commands within the same rule.
This does not solve the problem fully but at least gets us into the same
boat as current SUDO schema.
Comments welcome!
If there are no objections by end of Friday I will craft a patch over
the weekend.
Thanks
Dmitri
I updated the wiki and implemented the change.
Patch is attached.
Rebased patch attached.
ack, pushed to master.
JR, can you fix up the sudo plugins to match this new schema?
thanks
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
