Bug 1113918
| Summary: | Setting a sudo category to all doesn't check to see if rules already exist | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:12:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Kosek
2014-06-27 08:32:21 UTC
Fixed upstream as part of sudorule enhancements. master: 5a1207cb6ee6dd4314ae95e6637ee6859d5fda1a sudorule: PEP8 fixes in sudorule.py a228d7a3cb32b14ff24b47adb14d896d317f6312 sudorule: Allow using hostmasks for setting allowed hosts 9304b649a32c57e80f53913d7fbdee92fd76a251 sudorule: Allow using external groups as groups of runAsUsers 3a56b155e80a744c7a924915aae954e0a3d81e9e sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute c7da22c1e69cb4d6cc8c6f368aad5ffddbd3762c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes fix: af2eb4d69506b641504d076e79b80c7ee54eeda9 sudorule: Allow adding deny commands when command category set to ALL 9bb88a15e0297e3a3e8e713267bc399164e0cdd6 sudorule: Make sure all the relevant attributes are checked when setting category to ALL a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 sudorule: Fix the order of the parameters to have less chaotic output b1275c5b1c2038c9769377e9cf0afe04139d1d8d sudorule: Enforce category ALL checks on dirsrv level d537da8b8a52dde18f4d07455fef8a4ef1c4ef04 ipatests: test_sudo: Add tests for allowing hosts via hostmasks c50d190549ff56c35d2dac270f319d764c972113 ipatests: test_sudo: Add coverage for external entries ec2050b7dfa94ef5ce41172a98c9153c14d4c972 ipatests: test_sudo: Add coverage for category ALL validation e0fd2695ca3c1c2df8bbecadd4597ccf0aeca004 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL 701f1fc8ba8fa2cbde6c16b031793d0069fddd33 ipatests: test_sudo: Do not expect enumeration of runasuser groups e7969f5af56be1b9163a8f9ee4686becb3fdcb59 ipatests: test_sudo: Expect root listed out if no RunAsUser available af4518b72882f88a01de0e5c23d423898ba894b4 sudorule: Refactor add and remove external_post_callback Verified. Version :: ipa-server-4.1.0-16.el7.x86_64 Results :: [root@rhel7-1 ~]# ipa sudocmd-add /usr/bin/less ---------------------------------- Added Sudo Command "/usr/bin/less" ---------------------------------- Sudo Command: /usr/bin/less [root@rhel7-1 ~]# ipa sudorule-add test ---------------------- Added Sudo Rule "test" ---------------------- Rule name: test Enabled: TRUE [root@rhel7-1 ~]# ipa sudorule-add-user test --users=notinipa Rule name: test Enabled: TRUE External User: notinipa ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa sudorule-add-host test --hosts=$(hostname) Rule name: test Enabled: TRUE External User: notinipa Hosts: rhel7-1.example.com ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less Rule name: test Enabled: TRUE External User: notinipa Hosts: rhel7-1.example.com Sudo Allow Commands: /usr/bin/less ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa sudorule-add-runasuser test --users=admin Rule name: test Enabled: TRUE External User: notinipa Hosts: rhel7-1.example.com Sudo Allow Commands: /usr/bin/less RunAs Users: admin ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa sudorule-add-runasgroup test --groups=admins Rule name: test Enabled: TRUE External User: notinipa Hosts: rhel7-1.example.com Sudo Allow Commands: /usr/bin/less RunAs Users: admin RunAs Groups: admins ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa sudorule-mod test --usercat=all ipa: ERROR: user category cannot be set to 'all' while there are allowed users [root@rhel7-1 ~]# ipa sudorule-mod test --hostcat=all ipa: ERROR: host category cannot be set to 'all' while there are allowed hosts [root@rhel7-1 ~]# ipa sudorule-mod test --cmdcat=all ipa: ERROR: command category cannot be set to 'all' while there are allowed commands [root@rhel7-1 ~]# ipa sudorule-mod test --runasusercat=all ipa: ERROR: runAs user category cannot be set to 'all' while there are allowed runAs users [root@rhel7-1 ~]# ipa sudorule-mod test --runasgroupcat=all ipa: ERROR: group runAs category cannot be set to 'all' while there are allowed runAs groups Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |