711693 – [RFE] Normal users should not be given privileges to view all sudorules and their details.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 711693 - [RFE] Normal users should not be given privileges to view all sudorules and their details.

Summary: [RFE] Normal users should not be given privileges to view all sudorules and t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-06-08 08:10 UTC by Gowrishankar Rajaiyan
Modified:	2015-03-05 10:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:08:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Gowrishankar Rajaiyan 2011-06-08 08:10:40 UTC

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64
ipa-admintools-2.0.0-25.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Login as normal user
-sh-4.1$ klist 
Ticket cache: FILE:/tmp/krb5cc_1866400008_n5Cpx8
Default principal: shanks.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
06/08/11 02:53:31  06/09/11 02:53:31  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
06/08/11 02:53:47  06/09/11 02:53:31  HTTP/bumblebee.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM

2. ipa sudorule-find sudorule3 --all --raw
3.
  
Actual results:
-sh-4.1$ # ipa sudorule-find sudorule3 --all --raw
  dn: ipauniqueid=2feb0fb0-912f-11e0-a18c-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  cn: sudorule3
  ipaenabledflag: TRUE
  ipasudorunasextuser: test1
  ipasudorunasextuser: test3
  ipasudorunasextuser: test2
  ipasudorunasextuser: test4
  ipauniqueid: 2feb0fb0-912f-11e0-a18c-525400deab7b
  memberallowcmd: cn=basic cmd,cn=sudocmdgroups,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  memberallowcmd: sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  memberallowcmd: sudocmd=/bin/df,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  memberallowcmd: sudocmd=/bin/ln,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  memberallowcmd: sudocmd=/bin/pwd,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  memberallowcmd: sudocmd=/bin/hostname,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  objectclass: ipaassociation
  objectclass: ipasudorule


Giving privileges for a normal user to view all the sudorules is not necessary from a users point of view. 

Expected results:
This privilege should be only given to admin users and host principals. 

Additional info:

Comment 2 Dmitri Pal 2011-06-08 21:00:28 UTC

https://fedorahosted.org/freeipa/ticket/1313

Comment 4 Martin Kosek 2014-06-05 07:02:38 UTC

Access to sudo objects can be now controlled via managed permissions. The default is to allow read access to all authenticated users, but it can be also restricted only to a group of users. See

https://fedorahosted.org/freeipa/ticket/3566

for details. To allow them only for all hosts only, a hostgroup with all hosts would need to be created first.

Comment 6 Namita Soman 2015-01-23 13:48:07 UTC

Using ipa-server-4.1.0-15.el7.x86_64

User two can see sudorules which are set up for user one

# ipa user-add one
First name: one
Last name: one
----------------
Added user "one"
----------------
  User login: one
  First name: one
  Last name: one
  Full name: one one
  Display name: one one
  Initials: oo
  Home directory: /home/one
  GECOS: one one
  Login shell: /bin/sh
  Kerberos principal: one
  Email address: one
  UID: 1453400006
  GID: 1453400006
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


# ipa sudorule-add rule1
-----------------------
Added Sudo Rule "rule1"
-----------------------
  Rule name: rule1
  Enabled: TRUE


# ipa sudorule-add-user --users=one rule1
  Rule name: rule1
  Enabled: TRUE
  Users: one
-------------------------
Number of members added 1
-------------------------



# ipa sudocmd-add /bin/mkdir
-------------------------------
Added Sudo Command "/bin/mkdir"
-------------------------------
  Sudo Command: /bin/mkdir


# ipa sudorule-add-allow-command --sudocmds=/bin/mkdir rule1
  Rule name: rule1
  Enabled: TRUE
  Users: one
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1
-------------------------



# ipa user-add two
First name: two
Last name: two
----------------
Added user "two"
----------------
  User login: two
  First name: two
  Last name: two
  Full name: two two
  Display name: two two
  Initials: tt
  Home directory: /home/two
  GECOS: two two
  Login shell: /bin/sh
  Kerberos principal: two
  Email address: two
  UID: 1453400007
  GID: 1453400007
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# kdestory -A

# kinit two
Password for two: 
[root@qeblade6 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_54IpXJy
Default principal: two

Valid starting       Expires              Service principal
01/23/2015 08:41:22  01/24/2015 08:41:19  krbtgt/TESTRELM.TEST


# ipa sudorule-find --all --raw
-------------------
1 Sudo Rule matched
-------------------
  dn: ipaUniqueID=ed237556-a303-11e4-9b27-00215e860834,cn=sudorules,cn=sudo,dc=testrelm,dc=test
  cn: rule1
  ipaenabledflag: TRUE
  memberuser: uid=one,cn=users,cn=accounts,dc=testrelm,dc=test
  ipaUniqueID: ed237556-a303-11e4-9b27-00215e860834
  memberallowcmd: ipaUniqueID=3c48404e-a304-11e4-9b27-00215e860834,cn=sudocmds,cn=sudo,dc=testrelm,dc=test
  objectClass: ipasudorule
  objectClass: ipaassociation
----------------------------
Number of entries returned 1
----------------------------


Same behaviour as reported as bz, right? Or am I missing something here?

Comment 7 Martin Kosek 2015-01-26 11:32:05 UTC

It was decided, that all authenticated users should be able to read the SUDO rules *by default*.

In FreeIPA 4.0+ you can, however, choose to change this configuration and only enabling people with the assigned permission to read them. These are the new ACIs/permissions related to read access to SUDO:

# ipa permission-find "read sudo"
---------------------
4 permissions matched
---------------------
  Permission name: System: Read Sudo Command Groups
  Granted rights: read, compare, search
  Effective attributes: businesscategory, cn, createtimestamp, description, entryusn, ipauniqueid,
                        member, memberhost, memberuser, modifytimestamp, o, objectclass, ou, owner,
                        seealso
  Default attributes: cn, businesscategory, objectclass, description, memberuser, o, member,
                      ipauniqueid, owner, ou, memberhost, seealso
  Bind rule type: all
  Subtree: cn=sudocmdgroups,cn=sudo,dc=mkosek-f21,dc=test
  Type: sudocmdgroup

  Permission name: System: Read Sudo Commands
  Granted rights: read, compare, search
  Effective attributes: createtimestamp, description, entryusn, ipauniqueid, memberof, modifytimestamp,
                        objectclass, sudocmd
  Default attributes: objectclass, memberof, ipauniqueid, sudocmd, description
  Bind rule type: all
  Subtree: cn=sudocmds,cn=sudo,dc=mkosek-f21,dc=test
  Type: sudocmd

  Permission name: System: Read Sudo Rules
  Granted rights: read, compare, search
  Effective attributes: cmdcategory, cn, createtimestamp, description, entryusn, externalhost,
                        externaluser, hostcategory, hostmask, ipaenabledflag, ipasudoopt, ipasudorunas,
                        ipasudorunasextgroup, ipasudorunasextuser, ipasudorunasextusergroup,
                        ipasudorunasgroup, ipasudorunasgroupcategory, ipasudorunasusercategory,
                        ipauniqueid, member, memberallowcmd, memberdenycmd, memberhost, memberuser,
                        modifytimestamp, objectclass, sudonotafter, sudonotbefore, sudoorder,
                        usercategory
  Default attributes: sudonotafter, cn, hostmask, memberdenycmd, memberallowcmd, sudonotbefore,
                      ipasudorunas, cmdcategory, ipasudoopt, memberhost, externaluser, usercategory,
                      ipasudorunasextuser, member, ipasudorunasextusergroup, description,
                      ipasudorunasusercategory, hostcategory, ipauniqueid, ipaenabledflag,
                      ipasudorunasgroup, sudoorder, ipasudorunasgroupcategory, ipasudorunasextgroup,
                      memberuser, objectclass, externalhost
  Bind rule type: all
  Subtree: cn=sudorules,cn=sudo,dc=mkosek-f21,dc=test
  Type: sudorule

  Permission name: System: Read Sudoers compat tree
  Granted rights: read, compare, search
  Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass, ou,
                        sudocommand, sudohost, sudonotafter, sudonotbefore, sudooption, sudoorder,
                        sudorunas, sudorunasgroup, sudorunasuser, sudouser
  Default attributes: sudonotafter, description, sudouser, cn, objectclass, sudooption, sudocommand,
                      sudonotbefore, sudorunas, sudorunasuser, sudohost, ou, sudoorder, sudorunasgroup
  Bind rule type: anonymous
  Subtree: dc=mkosek-f21,dc=test
  Target DN: ou=sudoers,dc=mkosek-f21,dc=test
----------------------------
Number of entries returned 4
----------------------------

Comment 8 Martin Kosek 2015-01-27 07:42:54 UTC

Given this is by design, moving back ON_QA.

Comment 9 Namita Soman 2015-01-28 15:10:11 UTC

Verified using ipa-server-4.1.0-16.el7.x86_64

Steps taken to change the default configuration, and enable only people with assigned permission to read sudo rules:
# ipa user-add one --first=one --last=one --password
# ipa user-add four --first=four --last=four --password
# ipa permission-mod "System: Read Sudo Rules" --bindtype=permission
# ipa privilege-add-permission --permissions="System: Read Sudo Rules" read_sudo_rules
# ipa role-add sudo_rule_reader
# ipa role-add-privilege --privilege=read_sudo_rules sudo_rule_reader
# ipa role-add-member --users=four sudo_rule_reader
# kinit four
# ipa sudorule-find
--------------------
2 Sudo Rules matched
--------------------
  Rule name: rule1
  Enabled: TRUE
  Host category: all
  Users: two
  Sudo Allow Commands: /bin/mkdir
  RunAs External Group: nkgrpone

  Rule name: rule_for_external_group
  Enabled: TRUE
  Users: two
  User Groups: externalgroup1
----------------------------
Number of entries returned 2
----------------------------

# kdestroy -A
# kinit one
# ipa sudorule-find
--------------------
0 Sudo Rules matched
--------------------
----------------------------
Number of entries returned 0
----------------------------

Comment 10 Martin Kosek 2015-01-28 15:50:29 UTC

Looks good. Just note that while this change is possible with the new permission system, I do not recommend users doing this change.

When
https://fedorahosted.org/sssd/ticket/1108
is fixed, SSSD will read IPA native SUDO rules and commands. If the host/ipa.client.example.test is not able to read them because they are restricted to only selected users, SUDO will not work on the clients.

The solution is then to either add the host/* principals to the new role or keep it on "authenticated" access.

Comment 12 errata-xmlrpc 2015-03-05 10:08:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.