Re: [Freeipa-devel] Sudo Schema Bug

On Thu, Sep 30, 2010 at 12:06:01AM -0400, Dmitri Pal wrote: JR Aquino wrote: I have encountered and troubleshot several instances recently where a user was present in more than 1 sudo rule. One that permitted the user, the host, and commands, and another that permited the user, and host,

Re: [Freeipa-devel] admiyo-freeipa-0048-Item-Level-Undo.patch

On 09/29/2010 11:07 PM, Endi Sukma Dewata wrote: - Adam Youngayo...@redhat.com wrote: Should have remembered this approach, standard JS way to deal with undefined values. admiyo-freeipa-0048-3-Item-Level-Undo.patch A few notes: 1. You're replying to the wrong thread :)

Re: [Freeipa-devel] admiyo-freeipa-0048-Item-Level-Undo.patch

On 09/30/2010 09:18 AM, Adam Young wrote: On 09/29/2010 11:07 PM, Endi Sukma Dewata wrote: - Adam Youngayo...@redhat.com wrote: Should have remembered this approach, standard JS way to deal with undefined values. admiyo-freeipa-0048-3-Item-Level-Undo.patch A few notes: 1. You're

Re: [Freeipa-devel] admiyo-freeipa-0048-Item-Level-Undo.patch

On 09/30/2010 09:20 AM, Adam Young wrote: On 09/30/2010 09:18 AM, Adam Young wrote: On 09/29/2010 11:07 PM, Endi Sukma Dewata wrote: - Adam Youngayo...@redhat.com wrote: Should have remembered this approach, standard JS way to deal with undefined values.

Re: [Freeipa-devel] Sudo Schema Bug

Todd was able to confirm this for me... On Sep 29, 2010, at 9:06 PM, Dmitri Pal wrote: I was aware of this writeup however I did not read it as there is a problem when there are multiple rules with negation. It actually nowhere says how SUDO handles multiple rules if they are mutually exclusive.

Re: [Freeipa-devel] Sudo Schema Bug/Feature

On Sep 30, 2010, at 6:17 AM, freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com wrote: I think this behaviour is a contradiction to 'paranoid behavior'. I think that instead of 'If there are

Re: [Freeipa-devel] Sudo Schema Bug/Feature

On Sep 30, 2010, at 6:17 AM, freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com wrote: I think this behaviour is a contradiction to 'paranoid behavior'. I think that instead of 'If there are

Re: [Freeipa-devel] Sudo Schema Bug/Feature

On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote: I agree, I only made the suggestion about the IPA server, because I think that this feature is a bug in the current sudo code base, an annoying bug at best and a serious security issue at worst. It is both a bug and a security concern... one that

Re: [Freeipa-devel] Sudo Schema Bug/Feature

btw. I cannot reproduce your issue where a command is denied where only user and host is matching, can you give an example where this is happening? Thanks I retract my previous statement and stand corrected: I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving as we

[Freeipa-devel] admiyo-freeipa-0050-phonenumbers.patch

Added in params for phone number types: mobile, pager, fax, phone From 46766fb7d44e5586ce05334756ae4b3a2212daab Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 30 Sep 2010 13:58:01 -0400 Subject: [PATCH] phonenumbers Added in params for phone number types: phone, fax,

[Freeipa-devel] [PATCH] 553 quote passwords to pkisilent

Quote passwords before sending them to pkisilent. This lets you use characters in the password the shell would otherwise interpret. rob freeipa-553-quote.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 553 quote passwords to pkisilent

On 09/30/2010 02:54 PM, Rob Crittenden wrote: Quote passwords before sending them to pkisilent. This lets you use characters in the password the shell would otherwise interpret. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

[Freeipa-devel] [PATCH] Refactoring navigation.js.

Hi, Please review the attached patch. Thanks! The navigation.js has been modified to make it more abstract, i.e. unaware of entity facets. The nav_update_tabs() has been modified such that it activates and updates the tabs based on the current state stored in the URL. The facets are now handled

[Freeipa-devel] fix timelimit/sizelimit in user_find

Don't override takes_options in user_find. I pushed this under the 1-liner rule. rob user_find.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 554 fix failing test case

Fix failing test case for LDAP client test. This should bring our pass rate back up to 100%. rob freeipa-554-test.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] Sudo Schema Bug/Feature

How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO bug/feature. SUDO will match just any first rule that satisfies the user-hpost-command combination but we can't

[Freeipa-devel] admiyo-freeipa-0051-telephone.patch

Pushed under the one line rule From 4f2d2fda93b1a118869579efa70d800a28b97a8b Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 30 Sep 2010 19:08:45 -0400 Subject: [PATCH] telephone Typo in attribute name. --- install/static/user.js |2 +- 1 files changed, 1

Re: [Freeipa-devel] [PATCH] 554 fix failing test case

On 09/30/2010 05:51 PM, Rob Crittenden wrote: Fix failing test case for LDAP client test. This should bring our pass rate back up to 100%. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com