I believe we have made an oversight in the way that sudo processes 'deny' or
negations via ldap...
Currently our IPA sudo Schema has ipasudorule objects set to contain an
attribute: accessRuleType
Unfortunately, sudo does not have a means to do a 'deny' in this way...
For a command, user, or host to be 'denied' it must be proceeded with an
exclamation point: !
Due to the RFC, LDAP will return entries in an arbitrary order, as such sudo
will do first match on the "!" negations. However, this is only true within
the same Rule, I.E. if a user belongs to multiple groups, one which allows the
command, and separate one which negates the command, sudo can and will pass or
fail depending on which object ldap returns back for the search results.
It occurs to me that we have 2 ways to proceed.
0) I suggest we remove the attribute: accessRuleType from ipasudorule.
1) Add the attribute: accessRuleType to ipasudocmdgrp.
-This has the benefit of not having to duplicate new ipasudocmd's only to
prepend a "!" in front of them since an ipasudorule can contain multiple
ipasudocmdgrp's.
I.E. /usr/bin/less can be added to an 'allow' command group and remain
unchanged, but when also added to a 'deny' command group, the compat layer
should prepend the "!" for us.
Please let me know if anyone has any objections or observations.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
