RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1113919 - Let deny commands be added to sudo rule with cmdcatetory=ALL
Summary: Let deny commands be added to sudo rule with cmdcatetory=ALL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-27 08:32 UTC by Martin Kosek
Modified: 2015-03-05 10:12 UTC (History)
2 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:12:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Internal Links: 1472079 1472080

Description Martin Kosek 2014-06-27 08:32:35 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4340

One may want to allow all commands except a certain subset, like su and a set of shells.

This is currently not allowed.
Comment 1 Martin Kosek 2014-06-27 08:33:48 UTC 
Fixed upstream as part of sudorule enhancements.

master:
5a1207cb6ee6dd4314ae95e6637ee6859d5fda1a sudorule: PEP8 fixes in sudorule.py
a228d7a3cb32b14ff24b47adb14d896d317f6312 sudorule: Allow using hostmasks for setting allowed hosts
9304b649a32c57e80f53913d7fbdee92fd76a251 sudorule: Allow using external groups as groups of runAsUsers
3a56b155e80a744c7a924915aae954e0a3d81e9e sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
c7da22c1e69cb4d6cc8c6f368aad5ffddbd3762c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
fix: af2eb4d69506b641504d076e79b80c7ee54eeda9 sudorule: Allow adding deny commands when command category set to ALL
9bb88a15e0297e3a3e8e713267bc399164e0cdd6 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 sudorule: Fix the order of the parameters to have less chaotic output
b1275c5b1c2038c9769377e9cf0afe04139d1d8d sudorule: Enforce category ALL checks on dirsrv level
d537da8b8a52dde18f4d07455fef8a4ef1c4ef04 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
c50d190549ff56c35d2dac270f319d764c972113 ipatests: test_sudo: Add coverage for external entries
ec2050b7dfa94ef5ce41172a98c9153c14d4c972 ipatests: test_sudo: Add coverage for category ALL validation
e0fd2695ca3c1c2df8bbecadd4597ccf0aeca004 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
701f1fc8ba8fa2cbde6c16b031793d0069fddd33 ipatests: test_sudo: Do not expect enumeration of runasuser groups
e7969f5af56be1b9163a8f9ee4686becb3fdcb59 ipatests: test_sudo: Expect root listed out if no RunAsUser available
af4518b72882f88a01de0e5c23d423898ba894b4 sudorule: Refactor add and remove external_post_callback
Comment 3 Scott Poore 2015-01-27 00:26:07 UTC 
Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

# add deny command when cmdcat all

[root@rhel7-1 ~]# ipa sudorule-add test --cmdcat=all
----------------------
Added Sudo Rule "test"
----------------------
  Rule name: test
  Enabled: TRUE
  Command category: all

[root@rhel7-1 ~]# ipa sudorule-add-deny-command test --sudocmds=/usr/bin/less
  Rule name: test
  Enabled: TRUE
  Command category: all
  Sudo Deny Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------

# add cmdcat all when deny command set

[root@rhel7-1 ~]# ipa sudorule-add test2 
-----------------------
Added Sudo Rule "test2"
-----------------------
  Rule name: test2
  Enabled: TRUE

[root@rhel7-1 ~]# ipa sudorule-add-deny-command test2 --sudocmds=/usr/bin/less
  Rule name: test2
  Enabled: TRUE
  Sudo Deny Commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa sudorule-mod test2 --cmdcat=all
--------------------------
Modified Sudo Rule "test2"
--------------------------
  Rule name: test2
  Enabled: TRUE
  Command category: all
  Sudo Deny Commands: /usr/bin/less
Comment 5 errata-xmlrpc 2015-03-05 10:12:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.