On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:

> Dmitri Pal wrote:
>> Dmitri Pal wrote:
>>> Dmitri Pal wrote:
>>> 
>>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede 
>>>>> any Allow-IPASudoRules ?
>>>>> 
>>>>> 
>>>>> 
>>>> So it looks like current schema would not fly well with SUDO due to SUDO
>>>> bug/feature. SUDO will match just any first rule that satisfies the
>>>> user-hpost-command combination but we can't guarantee that rules come in
>>>> the same order. So there is a possibility that allow rule will come
>>>> before deny rule in our case and will be matched.
>>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to
>>>> alter the schema to be able to express allowed and not allowed commands
>>>> in one rule.
>>>> It will be up to the admin to know the limitations of SUDO based on the
>>>> documentation we provide and construct the rules in a non contradicting
>>>> way. We might be able to add some nice checks in future.
>>>> 
>>>> So here is current schema:
>>>> 
>>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD
>>>>                 NAME 'ipaSudoRule'
>>>>                 SUP ipaAssociation
>>>>                 STRUCTURAL
>>>>                 MUST accessRuleType
>>>>                 MAY ( externalUser $
>>>>                       externalHost $ hostMask $
>>>>                       memberCmd $ cmdCategory $
>>>>                       ipaSudoOpt $
>>>>                       ipaSudoRunAs $ ipaSudoRunAsExtUser $ 
>>>> ipaSudoRunAsUserCategory $
>>>>                       ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ 
>>>> ipaSudoRunAsGroupCategory )
>>>>                 X-ORIGIN 'IPA v2' )
>>>> 
>>>> 
>>>> We will :
>>>> * Remove accessRuleType
>>>> * Add memberNotCmd same a memberCmd
>>>> 
>>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD
>>>>                  NAME 'memberNotCmd'
>>>>                  DESC 'Reference to a command or group of the commands 
>>>> that is not allowed.'
>>>>                  SUP distinguishedName
>>>>                  EQUALITY distinguishedNameMatch
>>>>                  ORDERING distinguishedNameMatch
>>>>                  SUBSTR distinguishedNameMatch
>>>>                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>>>                  X-ORIGIN 'IPA v2' )
>>>> 
>>>> 
>>>> The logic then will be:
>>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
>>>> no command is allowed
>>>> * If cmdCategory is specified (only value is "all") all other attributes
>>>> are ignored and all commands are allowed
>>>> * If cmdCategory is not specified
>>>>      * If memberCmd is specified it defines commands or groups of the
>>>> commands that are allowed
>>>>      * If memberNotCmd is specified it defines commands or groups of the
>>>> commands that are not allowed
>>>>      Both attributes are allowed at the same time defining allowed and
>>>> not allowed commands within the same rule.
>>>> 
>>>> This does not solve the problem fully but at least gets us into the same
>>>> boat as current SUDO schema.
>>>> 
>>>> Comments welcome!
>>>> If there are no objections by end of Friday I will craft a patch over
>>>> the weekend.
>>>> 
>>>> Thanks
>>>> Dmitri

>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> I updated the wiki and implemented the change.
>>> Patch is attached.
>>> 
>>> 
>>> 
>>> 
>> 
>> Rebased patch attached.
> 
> ack, pushed to master.
> 
> JR, can you fix up the sudo plugins to match this new schema?
> 
> thanks
> 
> rob


Attached is the patch for modifications to sudorule and its test suite to 
accommodate the schema redesign.

We now create allow rules or deny rules and no longer reference accessruletype.

Attachment: 0001-sudorule-mods-for-schema-update.patch
Description: 0001-sudorule-mods-for-schema-update.patch

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to