On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:

> Dmitri Pal wrote:
>> Dmitri Pal wrote:
>>> Dmitri Pal wrote:
>>> 
>>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede 
>>>>> any Allow-IPASudoRules ?
>>>>> 
>>>>> 
>>>>> 
>>>> So it looks like current schema would not fly well with SUDO due to SUDO
>>>> bug/feature. SUDO will match just any first rule that satisfies the
>>>> user-hpost-command combination but we can't guarantee that rules come in
>>>> the same order. So there is a possibility that allow rule will come
>>>> before deny rule in our case and will be matched.
>>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to
>>>> alter the schema to be able to express allowed and not allowed commands
>>>> in one rule.
>>>> It will be up to the admin to know the limitations of SUDO based on the
>>>> documentation we provide and construct the rules in a non contradicting
>>>> way. We might be able to add some nice checks in future.
>>>> 
>>>> So here is current schema:
>>>> 
>>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD
>>>>                 NAME 'ipaSudoRule'
>>>>                 SUP ipaAssociation
>>>>                 STRUCTURAL
>>>>                 MUST accessRuleType
>>>>                 MAY ( externalUser $
>>>>                       externalHost $ hostMask $
>>>>                       memberCmd $ cmdCategory $
>>>>                       ipaSudoOpt $
>>>>                       ipaSudoRunAs $ ipaSudoRunAsExtUser $ 
>>>> ipaSudoRunAsUserCategory $
>>>>                       ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ 
>>>> ipaSudoRunAsGroupCategory )
>>>>                 X-ORIGIN 'IPA v2' )
>>>> 
>>>> 
>>>> We will :
>>>> * Remove accessRuleType
>>>> * Add memberNotCmd same a memberCmd
>>>> 
>>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD
>>>>                  NAME 'memberNotCmd'
>>>>                  DESC 'Reference to a command or group of the commands 
>>>> that is not allowed.'
>>>>                  SUP distinguishedName
>>>>                  EQUALITY distinguishedNameMatch
>>>>                  ORDERING distinguishedNameMatch
>>>>                  SUBSTR distinguishedNameMatch
>>>>                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>>>                  X-ORIGIN 'IPA v2' )
>>>> 
>>>> 
>>>> The logic then will be:
>>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
>>>> no command is allowed
>>>> * If cmdCategory is specified (only value is "all") all other attributes
>>>> are ignored and all commands are allowed
>>>> * If cmdCategory is not specified
>>>>      * If memberCmd is specified it defines commands or groups of the
>>>> commands that are allowed
>>>>      * If memberNotCmd is specified it defines commands or groups of the
>>>> commands that are not allowed
>>>>      Both attributes are allowed at the same time defining allowed and
>>>> not allowed commands within the same rule.
>>>> 
>>>> This does not solve the problem fully but at least gets us into the same
>>>> boat as current SUDO schema.
>>>> 
>>>> Comments welcome!
>>>> If there are no objections by end of Friday I will craft a patch over
>>>> the weekend.
>>>> 
>>>> Thanks
>>>> Dmitri
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> I updated the wiki and implemented the change.
>>> Patch is attached.
>>> 
>>> 
>>> 
>>> 
>> 
>> Rebased patch attached.
> 
> ack, pushed to master.
> 
> JR, can you fix up the sudo plugins to match this new schema?
> 
> thanks
> 
> rob

Will get right on it.  Try to have it done early tomorrow if not by end of day 
today.

-JR


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to