On 04/09/2014 03:56 PM, Petr Viktorin wrote:
> On 04/09/2014 10:31 AM, Martin Kosek wrote:
>> On 04/08/2014 05:19 PM, Petr Viktorin wrote:
>>> On 04/08/2014 12:46 PM, Martin Kosek wrote:
>>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>>>> On 04/07/2014 01:30 PM, Martin Kosek wrote:
>>>>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>>>>> Hello,
>>>>>>> This adds read permissions to read Sudo commands, command groups, rules.
>>>>>>>
>>>>>>> Read access is given to all authenticated users.
>>>>>>
>>>>>> Looks good. What about "ou=sudoers"? I think we should also allow it in 
>>>>>> this
>>>>>> patch for authenticated users. This is the tree that clients use to read
>>>>>> sudo.
>>>>>
>>>>> This new version does that. It needs my patches 0508-0509 since the
>>>>> ou=sudoers
>>>>> permission is not tied to a specific Object plugin.
>>>>>
>>>>
>>>> I would also allow 'ou', otherwise an authenticated user cannot read the
>>>> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other 
>>>> thread.
>>>
>>> Right, I wonder how I missed that.
>>>
>>> New patch attached; it needs 0508-0509.2.
>>>
>>
>> Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
>> attribute? It is part of sudoRole objectclass:
>>
>> objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer 
>> Entries'
>>    SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ 
>> sudoRun
>>   As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ 
>> sudoNotAft
>>   er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )
>>
>> but we seem to not generate it in our compat plugin though. But as it is part
>> of the objectclass, I would rather add it to avoid any mistakes.
>>
>> If you add it, it's an ACK from me.
>>
>> Martin
>>
> 
> Thanks for the catch. Added, along with description.
> 

Great! I did not spot the description myself.

ACK.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to