On 04/08/2014 05:19 PM, Petr Viktorin wrote: > On 04/08/2014 12:46 PM, Martin Kosek wrote: >> On 04/08/2014 11:03 AM, Petr Viktorin wrote: >>> On 04/07/2014 01:30 PM, Martin Kosek wrote: >>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>>>> Hello, >>>>> This adds read permissions to read Sudo commands, command groups, rules. >>>>> >>>>> Read access is given to all authenticated users. >>>> >>>> Looks good. What about "ou=sudoers"? I think we should also allow it in >>>> this >>>> patch for authenticated users. This is the tree that clients use to read >>>> sudo. >>> >>> This new version does that. It needs my patches 0508-0509 since the >>> ou=sudoers >>> permission is not tied to a specific Object plugin. >>> >> >> I would also allow 'ou', otherwise an authenticated user cannot read the >> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. > > Right, I wonder how I missed that. > > New patch attached; it needs 0508-0509.2. >
Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs" attribute? It is part of sudoRole objectclass: objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft er $ sudoOrder $ description ) X-ORIGIN 'SUDO' ) but we seem to not generate it in our compat plugin though. But as it is part of the objectclass, I would rather add it to avoid any mistakes. If you add it, it's an ACK from me. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel