Hide Forgot
Description of problem: There is no way to add root or any external user as a RunAs User for a Sudo Rule. Use case- Add a Sudo Command - to see httpd error logs. Then add a rule to run this command. Want to assign only root to be able to run the command and check the logs. But unable to add root as external RunAs user for this rule Version-Release number of selected component (if applicable): ipa-server-2.1.2-2.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Add a sudo command - cat /var/log/httpd/error_log 2. Add a sudo rule, allow the command added above 3. Add root in As whom section - for RunAs. Actual results: There is no way to add an external user Expected results: It should be possible to set up root or an external user to run this command Additional info:
I don't understand why you are looking at the error_log. Is the command failing? If so can you attach the log?
No...that is just an example sudo command...could be any other command.
# ipa sudocmd-add "/bin/mkdir" ------------------------------- Added Sudo Command "/bin/mkdir" ------------------------------- Sudo Command: /bin/mkdir # ipa sudorule-add mkdir_root ---------------------------- Added Sudo Rule "mkdir_root" ---------------------------- Rule name: mkdir_root Enabled: TRUE # ipa sudorule-add-allow-command mkdir_root [member sudo command]: /bin/mkdir [member sudo command group]: Rule name: mkdir_root Enabled: TRUE Sudo Allow Commands: /bin/mkdir ------------------------- Number of members added 1 Note: User 'one' is an IPA user # ipa sudorule-add-runasuser mkdir_root --users=one Rule name: mkdir_root Enabled: TRUE Sudo Allow Commands: /bin/mkdir RunAs Users: one ------------------------- Number of members added 1 ------------------------- Note: User 'root' is an external user # ipa sudorule-add-runasuser mkdir_root --users=root Rule name: mkdir_root Enabled: TRUE Sudo Allow Commands: /bin/mkdir RunAs Users: one RunAs External User: root ------------------------- Number of members added 1 ------------------------- I can do all the above commands in UI, except the last. And after adding root as a RunAs External user, I cannot view this in UI. I see User one listed, but not User root in UI
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1987
Fixed upstream master: 1e5391422143c17a94008a0703099c5f877e46fd ipa-2-1: f3a5d4883666c7e04e23cb454e28ccc83c54f04a
Created attachment 530331 [details] As Whom in sudo Rule
Verified: Can add external user in the As Whom section of a sudo rule now from the web UI. See attached screen shot. version: ipa-server-2.1.3-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: IPA Web UI does not allow adding an external user (i.e. user that is not managed by IPA) as sudo command RunAs user Consequence: external RunAs user can be added to the sudo command via CLI only Fix: As Whom section dialog box specifying used for adding RunAs users has been fixed and a text field for adding an external user has been added Result: sudo command RunAs user can now be added via both Web UI and CLI
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html