Bug 1113920

Summary: Sudo runasgroup entry not generated by the sudo compat tree
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:12:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-06-27 08:32:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4324

Given the following sudo rule:

{{{
[root@vm-243 tbabej]# ipa sudorule-show testrule
  Rule name: testrule
  Enabled: TRUE
  User category: all
  Host category: all
  Sudo Allow Commands: /usr/bin/yum
  Sudo Allow Command Groups: readers
  Sudo Option: !authenticate
  RunAs Groups: testgroup2
}}}

The RunAs group is not available on the client:

{{{
[root@vm-246 ~]# su -c "sudo -ll" testuser1
User testuser1 may run the following commands on vm-246:
    RunAsUsers: root
    Options: !authenticate
    Commands:
        /usr/bin/cat
        /usr/bin/yum
}}}

Reason being - it is not generated in the sudo compat tree:


{{{
[root@vm-243 tbabej]# ldapsearch -h `hostname` -D 'cn=Directory Manager' -w Secret123 -b 'dc=ipa,dc=test' "cn=testrule"
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=test> with scope subtree
# filter: cn=testrule
# requesting: ALL
#

# testrule, sudoers, ipa.test
dn: cn=testrule,ou=sudoers,dc=ipa,dc=test
sudoCommand: /usr/bin/cat
sudoCommand: /usr/bin/yum
objectClass: sudoRole
objectClass: top
sudoUser: ALL
sudoHost: ALL
sudoOption: !authenticate
cn: testrule

# a2533874-cb9d-11e3-bcb0-001a4a2221cd, sudorules, sudo, ipa.test
dn: ipaUniqueID=a2533874-cb9d-11e3-bcb0-001a4a2221cd,cn=sudorules,cn=sudo,dc=i
 pa,dc=test
cn: testrule
objectClass: ipasudorule
objectClass: ipaassociation
ipaEnabledFlag: TRUE
ipaUniqueID: a2533874-cb9d-11e3-bcb0-001a4a2221cd
ipaSudoOpt: !authenticate
userCategory: all
hostCategory: all
memberAllowCmd: cn=readers,cn=sudocmdgroups,cn=sudo,dc=ipa,dc=test
memberAllowCmd: ipaUniqueID=a13bda22-cb9d-11e3-9e89-001a4a2221cd,cn=sudocmds,c
 n=sudo,dc=ipa,dc=test
ipaSudoRunAsGroup: cn=testgroup2,cn=groups,cn=accounts,dc=ipa,dc=test

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

}}}

Note the difference between # testrule, sudoers, ipa.test and # a2533874-cb9d-11e3-bcb0-001a4a2221cd, sudorules, sudo, ipa.test on ipaSudoRunAsGroup entry.
Comment 1 Martin Kosek 2014-06-27 08:34:05 UTC 
Fixed upstream as part of sudorule enhancements.

master:
5a1207cb6ee6dd4314ae95e6637ee6859d5fda1a sudorule: PEP8 fixes in sudorule.py
a228d7a3cb32b14ff24b47adb14d896d317f6312 sudorule: Allow using hostmasks for setting allowed hosts
9304b649a32c57e80f53913d7fbdee92fd76a251 sudorule: Allow using external groups as groups of runAsUsers
3a56b155e80a744c7a924915aae954e0a3d81e9e sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
c7da22c1e69cb4d6cc8c6f368aad5ffddbd3762c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
fix: af2eb4d69506b641504d076e79b80c7ee54eeda9 sudorule: Allow adding deny commands when command category set to ALL
9bb88a15e0297e3a3e8e713267bc399164e0cdd6 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 sudorule: Fix the order of the parameters to have less chaotic output
b1275c5b1c2038c9769377e9cf0afe04139d1d8d sudorule: Enforce category ALL checks on dirsrv level
d537da8b8a52dde18f4d07455fef8a4ef1c4ef04 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
c50d190549ff56c35d2dac270f319d764c972113 ipatests: test_sudo: Add coverage for external entries
ec2050b7dfa94ef5ce41172a98c9153c14d4c972 ipatests: test_sudo: Add coverage for category ALL validation
e0fd2695ca3c1c2df8bbecadd4597ccf0aeca004 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
701f1fc8ba8fa2cbde6c16b031793d0069fddd33 ipatests: test_sudo: Do not expect enumeration of runasuser groups
e7969f5af56be1b9163a8f9ee4686becb3fdcb59 ipatests: test_sudo: Expect root listed out if no RunAsUser available
af4518b72882f88a01de0e5c23d423898ba894b4 sudorule: Refactor add and remove external_post_callback
Comment 3 Scott Poore 2015-01-27 00:52:47 UTC 
Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

[root@rhel7-1 sssd]# ssh testuser1@$(hostname)
Last login: Mon Jan 26 18:38:47 2015
-sh-4.2$ sudo -ll
Matching Defaults entries for testuser1 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser1 may run the following commands on this host:

SSSD Role: test
    RunAsUsers: root
    RunAsGroups: admins
    Options: !authenticate
    Commands:
	/usr/bin/less
-sh-4.2$ exit
logout
Connection to rhel7-1.example.com closed.

[root@rhel7-1 sssd]# ipa sudorule-show test
  Rule name: test
  Enabled: TRUE
  User category: all
  Host category: all
  Sudo Allow Commands: /usr/bin/less
  RunAs Groups: admins
  Sudo Option: !authenticate

[root@rhel7-1 sssd]# ldapsearch -h `hostname` -D 'cn=Directory Manager' -w Secret123 -b 'dc=example,dc=com' 'cn=test'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=test
# requesting: ALL
#

# test, sudoers, example.com
dn: cn=test,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
objectClass: top
sudoOption: !authenticate
sudoCommand: /usr/bin/less
sudoUser: ALL
sudoHost: ALL
sudoRunAsGroup: admins
cn: test

# dfcf3344-a5bb-11e4-9d88-525400e25844, sudorules, sudo, example.com
dn: ipaUniqueID=dfcf3344-a5bb-11e4-9d88-525400e25844,cn=sudorules,cn=sudo,dc=e
 xample,dc=com
objectClass: ipasudorule
objectClass: ipaassociation
cn: test
ipaEnabledFlag: TRUE
ipaUniqueID: dfcf3344-a5bb-11e4-9d88-525400e25844
userCategory: all
hostCategory: all
memberAllowCmd: ipaUniqueID=e4a4cf1c-a5b8-11e4-888b-525400e25844,cn=sudocmds,c
 n=sudo,dc=example,dc=com
ipaSudoOpt: !authenticate
ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@rhel7-1 sssd]#
Comment 5 errata-xmlrpc 2015-03-05 10:12:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html