Dmitri Pal wrote: > Dmitri Pal wrote: > >>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any >>> Allow-IPASudoRules ? >>> >>> >>> >> So it looks like current schema would not fly well with SUDO due to SUDO >> bug/feature. SUDO will match just any first rule that satisfies the >> user-hpost-command combination but we can't guarantee that rules come in >> the same order. So there is a possibility that allow rule will come >> before deny rule in our case and will be matched. >> It is unfortunate and should be fixed by SUDO. In a meantime we need to >> alter the schema to be able to express allowed and not allowed commands >> in one rule. >> It will be up to the admin to know the limitations of SUDO based on the >> documentation we provide and construct the rules in a non contradicting >> way. We might be able to add some nice checks in future. >> >> So here is current schema: >> >> objectClasses: (2.16.840.1.113730.3.8.8.TBD >> NAME 'ipaSudoRule' >> SUP ipaAssociation >> STRUCTURAL >> MUST accessRuleType >> MAY ( externalUser $ >> externalHost $ hostMask $ >> memberCmd $ cmdCategory $ >> ipaSudoOpt $ >> ipaSudoRunAs $ ipaSudoRunAsExtUser $ >> ipaSudoRunAsUserCategory $ >> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ >> ipaSudoRunAsGroupCategory ) >> X-ORIGIN 'IPA v2' ) >> >> >> We will : >> * Remove accessRuleType >> * Add memberNotCmd same a memberCmd >> >> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >> NAME 'memberNotCmd' >> DESC 'Reference to a command or group of the commands that >> is not allowed.' >> SUP distinguishedName >> EQUALITY distinguishedNameMatch >> ORDERING distinguishedNameMatch >> SUBSTR distinguishedNameMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >> X-ORIGIN 'IPA v2' ) >> >> >> The logic then will be: >> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >> no command is allowed >> * If cmdCategory is specified (only value is "all") all other attributes >> are ignored and all commands are allowed >> * If cmdCategory is not specified >> * If memberCmd is specified it defines commands or groups of the >> commands that are allowed >> * If memberNotCmd is specified it defines commands or groups of the >> commands that are not allowed >> Both attributes are allowed at the same time defining allowed and >> not allowed commands within the same rule. >> >> This does not solve the problem fully but at least gets us into the same >> boat as current SUDO schema. >> >> Comments welcome! >> If there are no objections by end of Friday I will craft a patch over >> the weekend. >> >> Thanks >> Dmitri >> >> >> >> > > I updated the wiki and implemented the change. > Patch is attached. > > > >
Rebased patch attached. >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> >> > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
From 87522d5da7821022e73f08711614611e1f68b481 Mon Sep 17 00:00:00 2001 From: Dmitri Pal <d...@redhat.com> Date: Sun, 3 Oct 2010 13:09:34 -0400 Subject: [PATCH] [SUDO] Allow and deny commands in one rule 1) Added new attribute memberDenyCommand 2) Renamed memberCmd to memberAllowCmd 3) Changed the object class: * removed type * reflected the rename change * added the new attribute 4) Renumbered the attributes (while we still can) for consistency. --- install/share/60sudo.ldif | 26 ++++++++++++++------------ 1 files changed, 14 insertions(+), 12 deletions(-) diff --git a/install/share/60sudo.ldif b/install/share/60sudo.ldif index 0f3ac03ac2ba68dc99b5c282c88399c6bdfb239c..d7080859be12abd7b1f27a5f9cbeebee44af8969 100644 --- a/install/share/60sudo.ldif +++ b/install/share/60sudo.ldif @@ -6,29 +6,31 @@ dn: cn=schema ## ObjectClasses: 2.16.840.1.113730.3.8.8.x ## ## Attribute to store DN of a SUDO command or a group of SUDO commands -attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberCmd' DESC 'Reference to a command or group of the commands.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of the commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) ## Attribute to store command category -attributeTypes: (2.16.840.1.113730.3.8.7.2 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of the commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +## Attribute to store command category +attributeTypes: (2.16.840.1.113730.3.8.7.3 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to store user not managed by the central server -attributetypes: (2.16.840.1.113730.3.8.7.3 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to store sudo options -attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' ) +attributetypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' ) ## Attribute to store the reference identity under which the command should be run -attributeTypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) ## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity. -attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to express category of identities that the command can be run under -attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' ) ## Attribute to store a reference to the "run as group" identitity -attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) ## Attribute to store a name of the "run as group" identitity if this group is not directly managed by IPA -attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to express category of group identities that the command can be run under -attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' ) ## Attribute to store host mask -attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Object class for SUDO rules -objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) ## Object class for SUDO commands objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' ) ## Object class for groups of the SUDO commands -- 1.5.5.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
