Re: [Freeipa-devel] IPA Sudo queries.
On 06/03/2011 03:11 PM, Gowrishankar Rajaiyan wrote:
> Hi All,
>
> 1. While adding a runasgroup I see its entry in its ipaUniqueID
> dn, however do not see it in "dn: cn=sudorule1" as it does while
> adding a group using "ipa sudorule-add-runasuser rulename
> --groups=group1".
> Not sure if this is as designed.
>
> [root@bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1
> --groups=group2
> Rule name: sudorule1
> Enabled: TRUE
> Sudo Deny Commands: /bin/ls
> Run As Group: group2
> -
> Number of members added 1
> -
>
> dn:
> ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: ipaassociation
> objectClass: ipasudorule
> ipaEnabledFlag: TRUE
> cn: sudorule1
> ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b
> memberDenyCmd:
> sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> ipaSudoRunAs:
> cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> ipaSudoRunAsExtUser: test
> ipaSudoRunAsGroup:
> cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> <-
>
> # sudorule1, sudoers, lab.eng.pnq.redhat.com
> dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: sudoRole
> objectClass: extensibleObject
> objectClass: top
> sudoCommand: !/bin/ls
> sudorunasuser: test
> sudorunasuser: %group1
> sudorunasgroup: group1< added as "ipa
> sudorule-add-runasuser sudorule1 --groups=group1"
>{{{sudorunasgroup: group2}}}
> <--- expected here
> cn: sudorule1
>
>
> 2. Also, would like to know the difference between the following 2
> commands:
>
>
> Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated
> list of groups to add)
> # ipa help sudorule-add-runasuser
> Purpose: Add user for Sudo to execute as.
> [...]
> --users=LIST comma-separated list of users to add
> --groups=LIST comma-separated list of groups to add
>
>
> Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated
> list of groups to add)
>
>
> I see the following in DS after using these commands:
> 1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1
> Rule name: rule1
> Enabled: TRUE
> RunAs External User: user1
> -
> Number of members added 2
> -
>
> In DS:
> # rule1, sudoers, lab.eng.pnq.redhat.com
> dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: sudoRole
> objectClass: extensibleObject
> objectClass: top
> sudorunasuser: user1<--
> sudorunasuser: %group1
> sudorunasgroup: group1 <--
> cn: rule1
>
> # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
> lab.eng.pnq.redhat.com
> dn:
> ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: ipaassociation
> objectClass: ipasudorule
> ipaEnabledFlag: TRUE
> cn: rule1
> ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
> ipaSudoRunAs:
> cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> ipaSudoRunAsExtUser: user1
>
>
> 2. # ipa sudorule-add-runasgroup rule1 --groups=group2
>Rule name: rule1
>Enabled: TRUE
>Run As Group: group2
> -
> Number of members added 1
> -
>
> In DS:
> No group2 in cn=rule1
>
> # rule1, sudoers, lab.eng.pnq.redhat.com
> dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: sudoRole
> objectClass: extensibleObject
> objectClass: top
> sudorunasuser: user1
> sudorunasuser: %group1
> sudorunasgroup: group1
> cn: rule1
>
> # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
> lab.eng.pnq.redhat.com
> dn:
> ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> objectClass: ipaassociation
> objectClass: ipasudorule
> ipaEnabledFlag: TRUE
> cn: rule1
> ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
> ipaSudoRunAs:
> cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> <---
> ipaSudoRunAsExtUser: user1
> ipaSudoRunAsGroup:
> cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
> <
>
>
> 3. Should a normal user be given privileges to view all the sudorules
> and its details??? I do not think this is necessary except for host
> principals and admin users. Please comment.
> ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_117943
> Default principal: sha...@lab.eng.pnq.redhat.com
>
> Valid starting Expires Service principal
> 06/03/11 09:34:33 06/04/11 09:34:28
> krbtgt/lab.eng.pnq.redhat@lab.eng.pnq.redhat.com
> 06/03/11 09:34:37 06/04/11 09:34:28
> HTTP/bumblebee.lab.eng.pnq.redhat@lab.eng.pnq.redhat.com
>
> ~]$ ipa sudorule-find --all
> dn:
> ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,
[Freeipa-devel] IPA Sudo queries.
Hi All,
1. While adding a runasgroup I see its entry in its ipaUniqueID
dn, however do not see it in "dn: cn=sudorule1" as it does while
adding a group using "ipa sudorule-add-runasuser rulename --groups=group1".
Not sure if this is as designed.
[root@bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1
--groups=group2
Rule name: sudorule1
Enabled: TRUE
Sudo Deny Commands: /bin/ls
Run As Group: group2
-
Number of members added 1
-
dn:
ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: sudorule1
ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b
memberDenyCmd:
sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAsExtUser: test
ipaSudoRunAsGroup:
cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <-
# sudorule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudoCommand: !/bin/ls
sudorunasuser: test
sudorunasuser: %group1
sudorunasgroup: group1 < added as "ipa sudorule-add-runasuser
sudorule1 --groups=group1"
{{{sudorunasgroup: group2}}}
<--- expected here
cn: sudorule1
2. Also, would like to know the difference between the following 2 commands:
Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated
list of groups to add)
# ipa help sudorule-add-runasuser
Purpose: Add user for Sudo to execute as.
[...]
--users=LIST comma-separated list of users to add
--groups=LIST comma-separated list of groups to add
Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated
list of groups to add)
I see the following in DS after using these commands:
1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1
Rule name: rule1
Enabled: TRUE
RunAs External User: user1
-
Number of members added 2
-
In DS:
# rule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudorunasuser: user1<--
sudorunasuser: %group1
sudorunasgroup: group1 <--
cn: rule1
# 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
lab.eng.pnq.redhat.com
dn:
ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: rule1
ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ipaSudoRunAsExtUser: user1
2. # ipa sudorule-add-runasgroup rule1 --groups=group2
Rule name: rule1
Enabled: TRUE
Run As Group: group2
-
Number of members added 1
-
In DS:
No group2 in cn=rule1
# rule1, sudoers, lab.eng.pnq.redhat.com
dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
sudorunasuser: user1
sudorunasuser: %group1
sudorunasgroup: group1
cn: rule1
# 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo,
lab.eng.pnq.redhat.com
dn:
ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: rule1
ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b
ipaSudoRunAs:
cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
<---
ipaSudoRunAsExtUser: user1
ipaSudoRunAsGroup:
cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
<
3. Should a normal user be given privileges to view all the sudorules
and its details??? I do not think this is necessary except for host
principals and admin users. Please comment.
~]$ klist
Ticket cache: FILE:/tmp/krb5cc_117943
Default principal: sha...@lab.eng.pnq.redhat.com
Valid starting Expires Service principal
06/03/11 09:34:33 06/04/11 09:34:28
krbtgt/lab.eng.pnq.redhat@lab.eng.pnq.redhat.com
06/03/11 09:34:37 06/04/11 09:34:28
HTTP/bumblebee.lab.eng.pnq.redhat@lab.eng.pnq.redhat.com
~]$ ipa sudorule-find --all
dn:
ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Rule name: sudorule1
Enabled: TRUE
Sudo Deny Commands: /bin/ls
Run As Group: group2, group1
RunAs External User: test, test1
ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER
