746056 – [ipa webui] Unable to add external user for RunAs User for Sudo rules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 746056 - [ipa webui] Unable to add external user for RunAs User for Sudo rules

Summary: [ipa webui] Unable to add external user for RunAs User for Sudo rules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748554
TreeView+	depends on / blocked

Reported:	2011-10-13 18:41 UTC by Namita Soman
Modified:	2011-12-06 18:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-2.1.3-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user Consequence: external RunAs user can be added to the sudo command via CLI only Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added Result: sudo command RunAs user can now be added via both Web UI and CLI
Clone Of:
Environment:
Last Closed:	2011-12-06 18:42:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
As Whom in sudo Rule (17.90 KB, image/png) 2011-10-26 16:33 UTC, Jenny Severance	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Namita Soman 2011-10-13 18:41:54 UTC

Description of problem:
There is no way to add root or any external user as a RunAs User for a Sudo Rule.

Use case- Add a Sudo Command - to see httpd error logs. Then add a rule to run this command. Want to assign only root to be able to run the command and check the logs. But unable to add root as external RunAs user for this rule

Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a sudo command - cat /var/log/httpd/error_log
2. Add a sudo rule, allow the command added above
3. Add root in As whom section - for RunAs.
  
Actual results:
There is no way to add an external user

Expected results:
It should be possible to set up root or an external user to run this command

Additional info:

Comment 2 Rob Crittenden 2011-10-14 04:34:05 UTC

I don't understand why you are looking at the error_log. Is the command failing? If so can you attach the log?

Comment 3 Namita Soman 2011-10-14 12:23:01 UTC

No...that is just an example sudo command...could be any other command.

Comment 4 Namita Soman 2011-10-14 13:39:53 UTC

# ipa sudocmd-add "/bin/mkdir"
-------------------------------
Added Sudo Command "/bin/mkdir"
-------------------------------
  Sudo Command: /bin/mkdir


# ipa sudorule-add mkdir_root 
----------------------------
Added Sudo Rule "mkdir_root"
----------------------------
  Rule name: mkdir_root
  Enabled: TRUE



# ipa sudorule-add-allow-command mkdir_root
[member sudo command]: /bin/mkdir
[member sudo command group]: 
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1


Note: User 'one' is an IPA user
# ipa sudorule-add-runasuser mkdir_root --users=one
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
-------------------------
Number of members added 1
-------------------------







Note: User 'root' is an external user
# ipa sudorule-add-runasuser mkdir_root --users=root
  Rule name: mkdir_root
  Enabled: TRUE
  Sudo Allow Commands: /bin/mkdir
  RunAs Users: one
  RunAs External User: root
-------------------------
Number of members added 1
-------------------------




I can do all the above commands in UI, except the last. And after adding root as a RunAs External user, I cannot view this in UI. I see User one listed, but not User root in UI

Comment 5 Rob Crittenden 2011-10-14 17:26:07 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1987

Comment 6 Rob Crittenden 2011-10-17 17:20:43 UTC

Fixed upstream

master: 1e5391422143c17a94008a0703099c5f877e46fd

ipa-2-1: f3a5d4883666c7e04e23cb454e28ccc83c54f04a

Comment 8 Jenny Severance 2011-10-26 16:33:48 UTC

Created attachment 530331 [details]
As Whom in sudo Rule

Comment 9 Jenny Severance 2011-10-26 16:34:55 UTC

Verified:
Can add external user in the As Whom section of a sudo rule now from the web UI.  See attached screen shot.

version:
ipa-server-2.1.3-3.el6.x86_64

Comment 10 Martin Kosek 2011-10-31 18:57:19 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user
Consequence: external RunAs user can be added to the sudo command via CLI only
Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added
Result: sudo command RunAs user can now be added via both Web UI and CLI

Comment 11 errata-xmlrpc 2011-12-06 18:42:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.