Todd was able to confirm this for me... On Sep 29, 2010, at 9:06 PM, Dmitri Pal wrote: I was aware of this writeup however I did not read it as there is a problem when there are multiple rules with negation. It actually nowhere says how SUDO handles multiple rules if they are mutually exclusive. Even in the current schema there is a problem when you have two rules and they contradict each other according to RFC this is a valid situation and thus should be handled correctly by SUDO. Do not take me wrong, I am willing to adjust the schema but if the SUDO utility can't handle contradicting rules even with the existing schema this is a very serious bug that we either should fix in SUDO or have a workaround. If you are right above that it does not look at other rules before making a decision and makes just based on one rule we can add the attribute(s) as you or I suggested but this generally limits the flexibility of the solution.
Does anyone have experience with this behavior and can confirm the limitation? Thanks Dmitri On Sep 30, 2010, at 6:28 AM, Todd C. Miller wrote: In message <2ef9f6d2-2a9f-4466-a205-907acfa52...@citrixonline.com<mailto:2ef9f6d2-2a9f-4466-a205-907acfa52...@citrixonline.com>> so spake JR Aquino (JR.Aquino): Todd, if you have a moment, could you weigh in on this? We are trying to clarify as to whether Sudo is a first match and stop, or if it will search the whole directory for rules that match and then make a calcu lated decision. When using /etc/sudoers, sudo will use the last match. When using LDAP, sudo will stop on the first matching entry, though it will prefer a negative match within that entry. It would probably be better to evaluate all returned entries instead of stopping at the first match. I've considered adding a weight or ordering attribute to the entries to make it possible to emulate the last match behavior but I'm not sure that is worth doing. A future version of sudo may choose the most exact match instead, which seems safer. - todd _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
