Bug 1394663

Summary: [RFE] ipa/IdM shall support time-limited sudo command (groups)
Product: Red Hat Enterprise Linux 8 Reporter: Thomas Birkl <Thomas.Birkl>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: abokovoy, afarley, apeddire, arajendr, ipa-maint, jhrozek, ldelouw, mkosek, pasik, pbrezina, pcech, pvoborni, rcritten, tapazogl, thinking2716, tscherf, twoerner, whitedm
Target Milestone: rcKeywords: FutureFeature, Reopened, Triaged
Target Release: ---Flags: apeddire: needinfo? (twoerner)
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 12:25:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thomas Birkl 2016-11-14 07:48:17 UTC 
Description of problem:
This is a Request For Enhancement (RFE) refering to Red Hat IdM (based in IPA).
The idea is to have time-limited sudo commands/command-groups supported in IdM.

Background:
We are responsible for Unix Servers at Airbus Defence and Space, which is a very security sensitive division within the Airbus Group and we plan to rollout IdM on our environment early/mid 2017.
Users and service owners within our IT department and customer departments maintain applications on their own and are often required to get sudo permissions in order to configure, start/stop or patch their application(s).

Usually sudo permissions can be limited in time, e.g. during initial setup phase or a migration phase.
Due to that we need to have a feature supported in IdM to limit the duration of sudo permissions for users/user Groups. The sudo command /group) shall automatically be disabled at the given Point of time. Best would be if this can be accompanied by a notification email (to backoffice and/or user).

Version-Release number of selected component (if applicable):
RHEL7.2

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Martin Kosek 2016-11-15 12:04:11 UTC 
Is this about supporting sudoNotBefore and sudoNotAfter attributes, as it was proposed in Bug 766351 (and upstream ticket https://fedorahosted.org/freeipa/ticket/1314)?

SSSD already supports them, FreeIPA/IdM just does not expose a CLI/UI for them.
Comment 5 Martin Kosek 2016-11-16 11:18:02 UTC 
Based on the information from Support, this is indeed about sudoNotBefore and sudoNotAfter attributes as I suspected. These are indeed not supported in IdM CLI and Web UI at the moment, although they are already added to IdM schema and can be set on LDAP level.

I did an experiment on my RHEL-7.3 IdM system and set the rule via the --setattr option

1) First I configured SSSD (/etc/sssd/sssd.conf) to evaluate time based rules:
...
[sudo]
sudo_timed = true
...
# service sssd restart

2) Next I adding testing SUDO rule to IdM:
# ipa sudorule-add testrule
# ipa sudorule-add-user testrule --user admin
# ipa sudorule-add-host testrule --hosts `hostname`
# ipa sudocmd-add `which less`
# ipa sudorule-add-command testrule --sudocmds /usr/bin/less

# ipa sudorule-mod testrule --setattr "sudonotafter=20170101000000Z" --all --raw
-----------------------------
Modified Sudo Rule "testrule"
-----------------------------
  dn: ipaUniqueID=efa29ac8-abe9-11e6-bfea-001a4a2312c2,cn=sudorules,cn=sudo,dc=rhel73
  cn: testrule
  ipaenabledflag: TRUE
  memberhost: fqdn=ipa.rhel73,cn=computers,cn=accounts,dc=rhel73
  memberuser: uid=admin,cn=users,cn=accounts,dc=rhel73
  ipaUniqueID: efa29ac8-abe9-11e6-bfea-001a4a2312c2
  memberallowcmd: ipaUniqueID=27a9a646-abea-11e6-a98a-001a4a2312c2,cn=sudocmds,cn=sudo,dc=rhel73
  objectClass: ipasudorule
  objectClass: ipaassociation
  sudoNotAfter: 20170101000000Z

3) Then I tested with admin user on local VM:
$ sudo -l
Matching Defaults entries for admin on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User admin may run the following commands on this host:
    (root) /usr/bin/less

It works!

4) Then I changed the sudoNotAfter:
# ipa sudorule-mod testrule --setattr "sudonotafter=20100101000000Z" --all --raw
-----------------------------
Modified Sudo Rule "testrule"
-----------------------------
  dn: ipaUniqueID=efa29ac8-abe9-11e6-bfea-001a4a2312c2,cn=sudorules,cn=sudo,dc=rhel73
  cn: testrule
  ipaenabledflag: TRUE
  memberhost: fqdn=ipa.rhel73,cn=computers,cn=accounts,dc=rhel73
  memberuser: uid=admin,cn=users,cn=accounts,dc=rhel73
  ipaUniqueID: efa29ac8-abe9-11e6-bfea-001a4a2312c2
  memberallowcmd: ipaUniqueID=27a9a646-abea-11e6-a98a-001a4a2312c2,cn=sudocmds,cn=sudo,dc=rhel73
  objectClass: ipasudorule
  objectClass: ipaassociation
  sudoNotAfter: 20100101000000Z
# service sssd stop; rm /var/lib/sss/db/*; service sssd start

... and tested again:

$ sudo -l
[sudo] password for admin: 
Sorry, user admin may not run sudo on ipa.

... which did not allow admin to run sudo as expected.
Comment 6 Martin Kosek 2016-11-16 11:21:05 UTC 
I would recommend verifying with the customer that this workaround works.

If yes, we can talk more about follow up changes on IdM/SSSD side. I would suggest:
- adding the CLI/UI for these 2 attributes
- enabling "sudo_timed" option in sssd.conf by IdM installer or changing the default in SSSD as otherwise it would be ignored by SSSD.
Comment 7 Martin Kosek 2016-11-16 11:21:47 UTC 
For the record, Pavel Brezina shared following known issue with these options in SSSD:
https://fedorahosted.org/sssd/ticket/2316 (sudoNotBefore time is not always respected)
Comment 8 Petr Vobornik 2016-11-16 19:54:36 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1314
Comment 14 Amy Farley 2019-08-16 15:57:12 UTC 
moving to RHEL 8
Comment 16 Pavel Březina 2020-02-11 14:35:25 UTC 
Yes, that is something that should be fixed especially if IPA gets to support it.
Comment 17 Petr Čech 2020-07-14 11:15:17 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker a long time ago (see link to the upstream ticket above), but it was unfortunately not given priority either in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Pagure ticket to expedite the solution.
Comment 29 Theodoros Apazoglou 2021-10-19 12:25:35 UTC 
The related SSSD pagure https://github.com/SSSD/sssd/issues/3358 that is a prerequisite to be fixed first has their associated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1088564 closed as wont fix, so this bugzilla doesn't seem to go anywhere. If SSSD upstream will be fixed and we get a new BZ for the same IPA issue/request then we can work on it. 

Closing as wont fix.