Re: [Freeipa-devel] IPA Sudo queries.
On 06/03/2011 03:11 PM, Gowrishankar Rajaiyan wrote: > Hi All, > > 1. While adding a runasgroup I see its entry in its ipaUniqueID > dn, however do not see it in "dn: cn=sudorule1" as it does while > adding a group using "ipa sudorule-add-runasuser rulename > --groups=group1". > Not sure if this is as designed. > > [root@bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1 > --groups=group2 > Rule name: sudorule1 > Enabled: TRUE > Sudo Deny Commands: /bin/ls > Run As Group: group2 > - > Number of members added 1 > - > > dn: > ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: sudorule1 > ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b > memberDenyCmd: > sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAsExtUser: test > ipaSudoRunAsGroup: > cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > <- > > # sudorule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudoCommand: !/bin/ls > sudorunasuser: test > sudorunasuser: %group1 > sudorunasgroup: group1< added as "ipa > sudorule-add-runasuser sudorule1 --groups=group1" >{{{sudorunasgroup: group2}}} > <--- expected here > cn: sudorule1 > > > 2. Also, would like to know the difference between the following 2 > commands: > > > Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated > list of groups to add) > # ipa help sudorule-add-runasuser > Purpose: Add user for Sudo to execute as. > [...] > --users=LIST comma-separated list of users to add > --groups=LIST comma-separated list of groups to add > > > Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated > list of groups to add) > > > I see the following in DS after using these commands: > 1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1 > Rule name: rule1 > Enabled: TRUE > RunAs External User: user1 > - > Number of members added 2 > - > > In DS: > # rule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudorunasuser: user1<-- > sudorunasuser: %group1 > sudorunasgroup: group1 <-- > cn: rule1 > > # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, > lab.eng.pnq.redhat.com > dn: > ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: rule1 > ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAsExtUser: user1 > > > 2. # ipa sudorule-add-runasgroup rule1 --groups=group2 >Rule name: rule1 >Enabled: TRUE >Run As Group: group2 > - > Number of members added 1 > - > > In DS: > No group2 in cn=rule1 > > # rule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudorunasuser: user1 > sudorunasuser: %group1 > sudorunasgroup: group1 > cn: rule1 > > # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, > lab.eng.pnq.redhat.com > dn: > ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: rule1 > ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > <--- > ipaSudoRunAsExtUser: user1 > ipaSudoRunAsGroup: > cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > < > > > 3. Should a normal user be given privileges to view all the sudorules > and its details??? I do not think this is necessary except for host > principals and admin users. Please comment. > ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_117943 > Default principal: sha...@lab.eng.pnq.redhat.com > > Valid starting Expires Service principal > 06/03/11 09:34:33 06/04/11 09:34:28 > krbtgt/lab.eng.pnq.redhat@lab.eng.pnq.redhat.com > 06/03/11 09:34:37 06/04/11 09:34:28 > HTTP/bumblebee.lab.eng.pnq.redhat@lab.eng.pnq.redhat.com > > ~]$ ipa sudorule-find --all > dn: > ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,
[Freeipa-devel] IPA Sudo queries.
Hi All, 1. While adding a runasgroup I see its entry in its ipaUniqueID dn, however do not see it in "dn: cn=sudorule1" as it does while adding a group using "ipa sudorule-add-runasuser rulename --groups=group1". Not sure if this is as designed. [root@bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1 --groups=group2 Rule name: sudorule1 Enabled: TRUE Sudo Deny Commands: /bin/ls Run As Group: group2 - Number of members added 1 - dn: ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: sudorule1 ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b memberDenyCmd: sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAsExtUser: test ipaSudoRunAsGroup: cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <- # sudorule1, sudoers, lab.eng.pnq.redhat.com dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudoCommand: !/bin/ls sudorunasuser: test sudorunasuser: %group1 sudorunasgroup: group1 < added as "ipa sudorule-add-runasuser sudorule1 --groups=group1" {{{sudorunasgroup: group2}}} <--- expected here cn: sudorule1 2. Also, would like to know the difference between the following 2 commands: Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated list of groups to add) # ipa help sudorule-add-runasuser Purpose: Add user for Sudo to execute as. [...] --users=LIST comma-separated list of users to add --groups=LIST comma-separated list of groups to add Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated list of groups to add) I see the following in DS after using these commands: 1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1 Rule name: rule1 Enabled: TRUE RunAs External User: user1 - Number of members added 2 - In DS: # rule1, sudoers, lab.eng.pnq.redhat.com dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudorunasuser: user1<-- sudorunasuser: %group1 sudorunasgroup: group1 <-- cn: rule1 # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, lab.eng.pnq.redhat.com dn: ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: rule1 ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAsExtUser: user1 2. # ipa sudorule-add-runasgroup rule1 --groups=group2 Rule name: rule1 Enabled: TRUE Run As Group: group2 - Number of members added 1 - In DS: No group2 in cn=rule1 # rule1, sudoers, lab.eng.pnq.redhat.com dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudorunasuser: user1 sudorunasuser: %group1 sudorunasgroup: group1 cn: rule1 # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, lab.eng.pnq.redhat.com dn: ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: rule1 ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <--- ipaSudoRunAsExtUser: user1 ipaSudoRunAsGroup: cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com < 3. Should a normal user be given privileges to view all the sudorules and its details??? I do not think this is necessary except for host principals and admin users. Please comment. ~]$ klist Ticket cache: FILE:/tmp/krb5cc_117943 Default principal: sha...@lab.eng.pnq.redhat.com Valid starting Expires Service principal 06/03/11 09:34:33 06/04/11 09:34:28 krbtgt/lab.eng.pnq.redhat@lab.eng.pnq.redhat.com 06/03/11 09:34:37 06/04/11 09:34:28 HTTP/bumblebee.lab.eng.pnq.redhat@lab.eng.pnq.redhat.com ~]$ ipa sudorule-find --all dn: ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: sudorule1 Enabled: TRUE Sudo Deny Commands: /bin/ls Run As Group: group2, group1 RunAs External User: test, test1 ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER