769491 – Unable to add certain sudo commands to groups

Bug 769491 - Unable to add certain sudo commands to groups

Summary: Unable to add certain sudo commands to groups

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-21 01:49 UTC by Erinn Looney-Triggs
Modified:	2018-11-28 21:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-2.2.0-5.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:28:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Erinn Looney-Triggs 2011-12-21 01:49:46 UTC

Description of problem:
I am able to create the following sudo command via the web UI:
/bin/chown -R apache\:developers /var/www/*/shared/log

However, when attempting to add it to a command group it fails. My guess would be the colon is the cause (no dirty jokes intended :). This is a legal sudo command the colon just has to be escaped when specifying the command to the sudoers file. 

Web UI error:

Some operations failed.
Hide details

    /bin/chown -R apache:developers /var/www/*/shared/log: no such entry

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64

How reproducible:
Create a command with a colon
Attempt to add it to a group

Comment 2 Dmitri Pal 2012-01-05 21:01:15 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2227

Comment 3 Rob Crittenden 2012-03-21 17:17:01 UTC

Fixed upstream.

master: dddebe23507749486fb09d219f0da4f483ba4e79

ipa-2-2: 3738a611a678e6c23be38dacbad8955299cbe5bb

to test:

$ ipa sudocmd-add '/bin/chown -R apache\:developers /var/www/*/shared/log'
$ ipa sudocmdgroup-add test --desc=test
$ ipa sudocmdgroup-add-member --sudocmds='/bin/chown -R apache\:developers /var/www/*/shared/log' test

The command should be added to the group and the escape character should remain unchanged.

Comment 7 Martin Kosek 2012-04-19 19:35:39 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 8 Jenny Severance 2012-05-07 18:32:25 UTC

verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug769491: Unable to add certain sudo commands to groups.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: https://bugzilla.redhat.com/show_bug.cgi?id=769491
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'ipa sudocmd-add "/bin/chown -R apache:developers /var/www/*/shared/log" > /tmp/tmp.81fRG7P9bN/bug769491.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Added Sudo Command'
:: [   PASS   ] :: Running 'cat /tmp/tmp.81fRG7P9bN/bug769491.txt'
:: [   PASS   ] :: Running 'ipa sudocmdgroup-add sudogrp1 --desc=sudogrp1'
:: [   PASS   ] :: Running 'ipa sudocmdgroup-add-member sudogrp1 --sudocmds="/bin/chown -R apache:developers /var/www/*/shared/log" > /tmp/tmp.81fRG7P9bN/bug769491.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Member Sudo commands: /bin/chown -r apache:developers /var/www/\*/shared/log'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Number of members added 1'
:: [   PASS   ] :: Running 'cat /tmp/tmp.81fRG7P9bN/bug769491.txt'
:: [   PASS   ] :: Running 'ipa sudocmdgroup-show sudogrp1 > /tmp/tmp.81fRG7P9bN/bug769491.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Sudo Command Group: sudogrp1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Member Sudo commands: /bin/chown -r apache:developers /var/www/\*/shared/log'
:: [   PASS   ] :: Running 'cat /tmp/tmp.81fRG7P9bN/bug769491.txt'
:: [   PASS   ] :: Running 'ipa sudocmdgroup-remove-member sudogrp1 --sudocmds="/bin/chown -R apache:developers /var/www/*/shared/log" > /tmp/tmp.81fRG7P9bN/bug769491.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Sudo Command Group: sudogrp1'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should not contain 'Member Sudo commands: /bin/chown -r apache:developers /var/www/\*/shared/log'
:: [   PASS   ] :: File '/tmp/tmp.81fRG7P9bN/bug769491.txt' should contain 'Number of members removed 1'
:: [   PASS   ] :: Running 'cat /tmp/tmp.81fRG7P9bN/bug769491.txt'
:: [   PASS   ] :: Running 'ipa sudocmd-del "/bin/chown -R apache:developers /var/www/*/shared/log"'
:: [   PASS   ] :: Running 'ipa sudocmdgroup-del sudogrp1'
:: [   LOG    ] :: Duration: 40s
:: [   LOG    ] :: Assertions: 20 good, 0 bad
:: [   PASS   ] :: RESULT: bug769491: Unable to add certain sudo commands to groups.


version ::
ipa-server.i686 0:2.2.0-12.el6

Comment 10 errata-xmlrpc 2012-06-20 13:28:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.