On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >>> Dmitri Pal wrote: >>> >>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede >>>>> any Allow-IPASudoRules ? >>>>> >>>>> >>>>> >>>> So it looks like current schema would not fly well with SUDO due to SUDO >>>> bug/feature. SUDO will match just any first rule that satisfies the >>>> user-hpost-command combination but we can't guarantee that rules come in >>>> the same order. So there is a possibility that allow rule will come >>>> before deny rule in our case and will be matched. >>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to >>>> alter the schema to be able to express allowed and not allowed commands >>>> in one rule. >>>> It will be up to the admin to know the limitations of SUDO based on the >>>> documentation we provide and construct the rules in a non contradicting >>>> way. We might be able to add some nice checks in future. >>>> >>>> So here is current schema: >>>> >>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD >>>> NAME 'ipaSudoRule' >>>> SUP ipaAssociation >>>> STRUCTURAL >>>> MUST accessRuleType >>>> MAY ( externalUser $ >>>> externalHost $ hostMask $ >>>> memberCmd $ cmdCategory $ >>>> ipaSudoOpt $ >>>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ >>>> ipaSudoRunAsUserCategory $ >>>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ >>>> ipaSudoRunAsGroupCategory ) >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> We will : >>>> * Remove accessRuleType >>>> * Add memberNotCmd same a memberCmd >>>> >>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >>>> NAME 'memberNotCmd' >>>> DESC 'Reference to a command or group of the commands >>>> that is not allowed.' >>>> SUP distinguishedName >>>> EQUALITY distinguishedNameMatch >>>> ORDERING distinguishedNameMatch >>>> SUBSTR distinguishedNameMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> The logic then will be: >>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >>>> no command is allowed >>>> * If cmdCategory is specified (only value is "all") all other attributes >>>> are ignored and all commands are allowed >>>> * If cmdCategory is not specified >>>> * If memberCmd is specified it defines commands or groups of the >>>> commands that are allowed >>>> * If memberNotCmd is specified it defines commands or groups of the >>>> commands that are not allowed >>>> Both attributes are allowed at the same time defining allowed and >>>> not allowed commands within the same rule. >>>> >>>> This does not solve the problem fully but at least gets us into the same >>>> boat as current SUDO schema. >>>> >>>> Comments welcome! >>>> If there are no objections by end of Friday I will craft a patch over >>>> the weekend. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>> >>>> >>> >>> I updated the wiki and implemented the change. >>> Patch is attached. >>> >>> >>> >>> >> >> Rebased patch attached. > > ack, pushed to master. > > JR, can you fix up the sudo plugins to match this new schema? > > thanks > > rob
Will get right on it. Try to have it done early tomorrow if not by end of day today. -JR _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
