JR Aquino wrote:
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command
On Thu, Sep 30, 2010 at 12:06:01AM -0400, Dmitri Pal wrote:
JR Aquino wrote:
I have encountered and troubleshot several instances recently where a user
was present in more than 1 sudo rule. One that permitted the user, the
host, and commands, and another that permited the user, and host,
Todd was able to confirm this for me...
On Sep 29, 2010, at 9:06 PM, Dmitri Pal wrote:
I was aware of this writeup however I did not read it as there is a
problem when there are multiple rules with negation. It actually nowhere
says how SUDO handles multiple rules if they are mutually exclusive.
On Sep 30, 2010, at 6:17 AM,
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are
On Sep 30, 2010, at 6:17 AM,
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote:
I agree, I only made the suggestion about the IPA server, because I
think that this feature is a bug in the current sudo code base, an
annoying bug at best and a serious security issue at worst.
It is both a bug and a security concern... one that
btw. I cannot reproduce your issue where a command is denied where only
user and host is matching, can you give an example where this is
happening? Thanks
I retract my previous statement and stand corrected:
I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving
as we
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command combination but we can't
JR Aquino wrote:
I believe we have made an oversight in the way that sudo processes 'deny' or
negations via ldap...
Currently our IPA sudo Schema has ipasudorule objects set to contain an
attribute: accessRuleType
Unfortunately, sudo does not have a means to do a 'deny' in this way...
I have encountered and troubleshot several instances recently where a user was
present in more than 1 sudo rule. One that permitted the user, the host, and
commands, and another that permited the user, and host, but no commands.
It was discovered that:
* Sudo is a stop on first match...
*
JR Aquino wrote:
I have encountered and troubleshot several instances recently where a user
was present in more than 1 sudo rule. One that permitted the user, the host,
and commands, and another that permited the user, and host, but no commands.
It was discovered that:
* Sudo is a stop
JR Aquino wrote:
I believe there is an oversight in the schema for the ipaSudoCmdGrp object
class.
The current listing has it using 'groupOfUniqueNames...
I found that in this format, I could not actually assign a member to
reference an ipaSudoCmd DN...
After some digging, it appears
15 matches
Mail list logo