1394663 – [RFE] ipa/IdM shall support time-limited sudo command (groups)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1394663 - [RFE] ipa/IdM shall support time-limited sudo command (groups)

Summary: [RFE] ipa/IdM shall support time-limited sudo command (groups)

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	---
Hardware:	i686
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-14 07:48 UTC by Thomas Birkl
Modified:	2023-09-15 00:00 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-19 12:25:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-6888	None	None	None	2021-09-23 11:13:00 UTC
Red Hat Issue Tracker	RHELPLAN-34438	None	None	None	2021-09-23 15:25:20 UTC
Red Hat Knowledge Base (Solution)	5857471	None	None	None	2021-03-08 15:25:11 UTC

Description Thomas Birkl 2016-11-14 07:48:17 UTC

Description of problem:
This is a Request For Enhancement (RFE) refering to Red Hat IdM (based in IPA).
The idea is to have time-limited sudo commands/command-groups supported in IdM.

Background:
We are responsible for Unix Servers at Airbus Defence and Space, which is a very security sensitive division within the Airbus Group and we plan to rollout IdM on our environment early/mid 2017.
Users and service owners within our IT department and customer departments maintain applications on their own and are often required to get sudo permissions in order to configure, start/stop or patch their application(s).

Usually sudo permissions can be limited in time, e.g. during initial setup phase or a migration phase.
Due to that we need to have a feature supported in IdM to limit the duration of sudo permissions for users/user Groups. The sudo command /group) shall automatically be disabled at the given Point of time. Best would be if this can be accompanied by a notification email (to backoffice and/or user).

Version-Release number of selected component (if applicable):
RHEL7.2

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Martin Kosek 2016-11-15 12:04:11 UTC

Is this about supporting sudoNotBefore and sudoNotAfter attributes, as it was proposed in Bug 766351 (and upstream ticket https://fedorahosted.org/freeipa/ticket/1314)?

SSSD already supports them, FreeIPA/IdM just does not expose a CLI/UI for them.

Comment 5 Martin Kosek 2016-11-16 11:18:02 UTC

Based on the information from Support, this is indeed about sudoNotBefore and sudoNotAfter attributes as I suspected. These are indeed not supported in IdM CLI and Web UI at the moment, although they are already added to IdM schema and can be set on LDAP level.

I did an experiment on my RHEL-7.3 IdM system and set the rule via the --setattr option

1) First I configured SSSD (/etc/sssd/sssd.conf) to evaluate time based rules:
...
[sudo]
sudo_timed = true
...
# service sssd restart

2) Next I adding testing SUDO rule to IdM:
# ipa sudorule-add testrule
# ipa sudorule-add-user testrule --user admin
# ipa sudorule-add-host testrule --hosts `hostname`
# ipa sudocmd-add `which less`
# ipa sudorule-add-command testrule --sudocmds /usr/bin/less

# ipa sudorule-mod testrule --setattr "sudonotafter=20170101000000Z" --all --raw
-----------------------------
Modified Sudo Rule "testrule"
-----------------------------
  dn: ipaUniqueID=efa29ac8-abe9-11e6-bfea-001a4a2312c2,cn=sudorules,cn=sudo,dc=rhel73
  cn: testrule
  ipaenabledflag: TRUE
  memberhost: fqdn=ipa.rhel73,cn=computers,cn=accounts,dc=rhel73
  memberuser: uid=admin,cn=users,cn=accounts,dc=rhel73
  ipaUniqueID: efa29ac8-abe9-11e6-bfea-001a4a2312c2
  memberallowcmd: ipaUniqueID=27a9a646-abea-11e6-a98a-001a4a2312c2,cn=sudocmds,cn=sudo,dc=rhel73
  objectClass: ipasudorule
  objectClass: ipaassociation
  sudoNotAfter: 20170101000000Z

3) Then I tested with admin user on local VM:
$ sudo -l
Matching Defaults entries for admin on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User admin may run the following commands on this host:
    (root) /usr/bin/less

It works!

4) Then I changed the sudoNotAfter:
# ipa sudorule-mod testrule --setattr "sudonotafter=20100101000000Z" --all --raw
-----------------------------
Modified Sudo Rule "testrule"
-----------------------------
  dn: ipaUniqueID=efa29ac8-abe9-11e6-bfea-001a4a2312c2,cn=sudorules,cn=sudo,dc=rhel73
  cn: testrule
  ipaenabledflag: TRUE
  memberhost: fqdn=ipa.rhel73,cn=computers,cn=accounts,dc=rhel73
  memberuser: uid=admin,cn=users,cn=accounts,dc=rhel73
  ipaUniqueID: efa29ac8-abe9-11e6-bfea-001a4a2312c2
  memberallowcmd: ipaUniqueID=27a9a646-abea-11e6-a98a-001a4a2312c2,cn=sudocmds,cn=sudo,dc=rhel73
  objectClass: ipasudorule
  objectClass: ipaassociation
  sudoNotAfter: 20100101000000Z
# service sssd stop; rm /var/lib/sss/db/*; service sssd start

... and tested again:

$ sudo -l
[sudo] password for admin: 
Sorry, user admin may not run sudo on ipa.

... which did not allow admin to run sudo as expected.

Comment 6 Martin Kosek 2016-11-16 11:21:05 UTC

I would recommend verifying with the customer that this workaround works.

If yes, we can talk more about follow up changes on IdM/SSSD side. I would suggest:
- adding the CLI/UI for these 2 attributes
- enabling "sudo_timed" option in sssd.conf by IdM installer or changing the default in SSSD as otherwise it would be ignored by SSSD.

Comment 7 Martin Kosek 2016-11-16 11:21:47 UTC

For the record, Pavel Brezina shared following known issue with these options in SSSD:
https://fedorahosted.org/sssd/ticket/2316 (sudoNotBefore time is not always respected)

Comment 8 Petr Vobornik 2016-11-16 19:54:36 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1314

Comment 14 Amy Farley 2019-08-16 15:57:12 UTC

moving to RHEL 8

Comment 16 Pavel Březina 2020-02-11 14:35:25 UTC

Yes, that is something that should be fixed especially if IPA gets to support it.

Comment 17 Petr Čech 2020-07-14 11:15:17 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker a long time ago (see link to the upstream ticket above), but it was unfortunately not given priority either in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Pagure ticket to expedite the solution.

Comment 29 Theodoros Apazoglou 2021-10-19 12:25:35 UTC

The related SSSD pagure https://github.com/SSSD/sssd/issues/3358 that is a prerequisite to be fixed first has their associated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1088564 closed as wont fix, so this bugzilla doesn't seem to go anywhere. If SSSD upstream will be fixed and we get a new BZ for the same IPA issue/request then we can work on it. 

Closing as wont fix.

Comment 30 Red Hat Bugzilla 2023-09-15 00:00:31 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.