Red Hat Bugzilla – Bug 599057
Incomplete comparison of a service name in IPA access provider
Last modified: 2015-01-04 18:42:42 EST
Description of problem:
In the IPA access provider the service name is only compared up to the length of the service name retrieved from LDAP, so if the value from LDAP is 'su' it will match 'su', 'su-l', 'sudo', ... This is not intended and should be fixed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a allow rule for 'su' and take care that there is no one for 'su-l' or and other rule that can match 'su-l', e.g. one with servicecategory=all
2. run 'su -l'
Access is granted
Access is denied, because there is not rule matching service 'su-l'
Fix is available upstream already.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release. Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release. This request is not yet committed for
verified RHEL 6:
hbac su rule:
[root@dhcp-100-3-186 ~]# ipa hbac-show
Rule name: test1
Rule name: test1
Rule type: allow
User category: all
Source host category: all
(Tue Aug 10 16:29:57 2010) [sssd[be[bos.redhat.com]]] [check_service] (9): OriginalDN for service [su-l]: [cn=su-l,cn=hbacservices,cn=accounts,dc=bos,dc=redhat,dc=com].
(Tue Aug 10 16:29:57 2010) [sssd[be[bos.redhat.com]]] [check_service] (9): Service [su-l] was not found in the list of allowed services and service groups.
(Tue Aug 10 16:29:57 2010) [sssd[be[bos.redhat.com]]] [evaluate_ipa_hbac_rules] (9): Current rule does not apply.
(Tue Aug 10 16:29:57 2010) [sssd[be[bos.redhat.com]]] [hbac_get_user_info_done] (3): Access denied.
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.