1113918 – Setting a sudo category to all doesn't check to see if rules already exist

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1113918 - Setting a sudo category to all doesn't check to see if rules already exist

Summary: Setting a sudo category to all doesn't check to see if rules already exist

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-27 08:32 UTC by Martin Kosek
Modified:	2015-03-05 10:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:12:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-06-27 08:32:21 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4341

https://fedorahosted.org/freeipa/ticket/1440 made it so you couldn't add commands, users, etc if a category is set to ALL but it fails to check for existing commands, users, etc when setting the category to ALL.

For example, you cannot do this:

{{{

 ipa sudorule-add test --cmdcat=all
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less

}}}

But you can do this:

{{{

 ipa sudorule-add test2
 ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less
 ipa sudorule-mod test2 --cmdcat=all
}}}


This should be coordinated with https://fedorahosted.org/freeipa/ticket/4340 because this is the workaround for that.

Comment 1 Martin Kosek 2014-06-27 08:34:17 UTC

Fixed upstream as part of sudorule enhancements.

master:
5a1207cb6ee6dd4314ae95e6637ee6859d5fda1a sudorule: PEP8 fixes in sudorule.py
a228d7a3cb32b14ff24b47adb14d896d317f6312 sudorule: Allow using hostmasks for setting allowed hosts
9304b649a32c57e80f53913d7fbdee92fd76a251 sudorule: Allow using external groups as groups of runAsUsers
3a56b155e80a744c7a924915aae954e0a3d81e9e sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
c7da22c1e69cb4d6cc8c6f368aad5ffddbd3762c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
fix: af2eb4d69506b641504d076e79b80c7ee54eeda9 sudorule: Allow adding deny commands when command category set to ALL
9bb88a15e0297e3a3e8e713267bc399164e0cdd6 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 sudorule: Fix the order of the parameters to have less chaotic output
b1275c5b1c2038c9769377e9cf0afe04139d1d8d sudorule: Enforce category ALL checks on dirsrv level
d537da8b8a52dde18f4d07455fef8a4ef1c4ef04 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
c50d190549ff56c35d2dac270f319d764c972113 ipatests: test_sudo: Add coverage for external entries
ec2050b7dfa94ef5ce41172a98c9153c14d4c972 ipatests: test_sudo: Add coverage for category ALL validation
e0fd2695ca3c1c2df8bbecadd4597ccf0aeca004 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
701f1fc8ba8fa2cbde6c16b031793d0069fddd33 ipatests: test_sudo: Do not expect enumeration of runasuser groups
e7969f5af56be1b9163a8f9ee4686becb3fdcb59 ipatests: test_sudo: Expect root listed out if no RunAsUser available
af4518b72882f88a01de0e5c23d423898ba894b4 sudorule: Refactor add and remove external_post_callback

Comment 3 Scott Poore 2015-01-27 00:14:28 UTC

Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa sudocmd-add /usr/bin/less
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
  Sudo Command: /usr/bin/less
[root@rhel7-1 ~]# ipa sudorule-add test
----------------------
Added Sudo Rule "test"
----------------------
  Rule name: test
  Enabled: TRUE
[root@rhel7-1 ~]# ipa sudorule-add-user test --users=notinipa
  Rule name: test
  Enabled: TRUE
  External User: notinipa
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa sudorule-add-host test --hosts=$(hostname)
  Rule name: test
  Enabled: TRUE
  External User: notinipa
  Hosts: rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa sudorule-add-allow-command test --sudocmds=/usr/bin/less
  Rule name: test
  Enabled: TRUE
  External User: notinipa
  Hosts: rhel7-1.example.com
  Sudo Allow Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa sudorule-add-runasuser test --users=admin
  Rule name: test
  Enabled: TRUE
  External User: notinipa
  Hosts: rhel7-1.example.com
  Sudo Allow Commands: /usr/bin/less
  RunAs Users: admin
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa sudorule-add-runasgroup test --groups=admins
  Rule name: test
  Enabled: TRUE
  External User: notinipa
  Hosts: rhel7-1.example.com
  Sudo Allow Commands: /usr/bin/less
  RunAs Users: admin
  RunAs Groups: admins
-------------------------
Number of members added 1
-------------------------


[root@rhel7-1 ~]# ipa sudorule-mod test --usercat=all 
ipa: ERROR: user category cannot be set to 'all' while there are allowed users

[root@rhel7-1 ~]# ipa sudorule-mod test --hostcat=all 
ipa: ERROR: host category cannot be set to 'all' while there are allowed hosts

[root@rhel7-1 ~]# ipa sudorule-mod test --cmdcat=all 
ipa: ERROR: command category cannot be set to 'all' while there are allowed commands

[root@rhel7-1 ~]# ipa sudorule-mod test --runasusercat=all 
ipa: ERROR: runAs user category cannot be set to 'all' while there are allowed runAs users

[root@rhel7-1 ~]# ipa sudorule-mod test --runasgroupcat=all 
ipa: ERROR: group runAs category cannot be set to 'all' while there are allowed runAs groups

Comment 5 errata-xmlrpc 2015-03-05 10:12:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.