Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 783286

Summary: Setting HBAC/SUDO category to Anyone doesn't remove users/groups
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: edewata, grajaiya, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:30:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-01-19 20:48:02 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/1440

When the Who category in HBAC/SUDO rules is set to Anyone, the list of users and groups should become empty. Currently that's not the case.

Steps to reproduce:
 1. Go to Policy -> HBAC -> HBAC Rules.
 2. Open an existing HBAC rule.
 3. Make sure there are users/groups under the Who category.
 4. Set the category to Anyone.
 5. Click Update, the category will revert back to 'Specified Users and Groups' and the users/groups are not deleted.

Similar problem happens in Sudo rules, in step #5 the category is changed to Anyone but the users/groups are not deleted.
Comment 1 Jenny Severance 2012-01-19 21:37:07 UTC 
appears to be duplicate bugzilla of ...

https://bugzilla.redhat.com/show_bug.cgi?id=741277
Comment 2 Rob Crittenden 2012-01-19 21:50:09 UTC 
The upstream patch fixes it in sudo:

master: 2c1f21a14bf9d47ab484d13f5947a059ccc1d041
ipa-2-2: 4c4888190b78b0a4e58471235550d1709ef7e329

It appears that the commits related to ticket 1873 (for bug 741277) are unrelated, so perhaps that explains the duplication.
Comment 4 Gowrishankar Rajaiyan 2012-04-09 10:09:08 UTC 
HBAC tests:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'echo Secret123 | ipa user-add user1 --first=user1 --last=r --password'
:: [   PASS   ] :: Running 'ipa group-add group1 --desc=group1'
:: [   PASS   ] :: Running 'ipa hbacrule-add bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'User category: all'
:: [   PASS   ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt'
:: [   PASS   ] :: Running 'ipa hbacrule-add-host bug783286 --hosts=primenova.lab.eng.pnq.redhat.com'
:: [   PASS   ] :: Running 'ipa hbacrule-add-user bug783286 --users=user1 > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all''
:: [   PASS   ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt'
:: [   PASS   ] :: Running 'ipa hbacrule-add-user bug783286 --groups=group1 > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all''
:: [   PASS   ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt'
:: [   PASS   ] :: Running 'ipa hbacrule-del bug783286'
:: [   PASS   ] :: Running 'ipa hbacrule-add bug783286'
:: [   PASS   ] :: Running 'ipa hbacrule-add-user bug783286 --users=user1'
:: [   PASS   ] :: Running 'ipa hbacrule-mod bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are allowed users'
:: [   PASS   ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt'
:: [   PASS   ] :: Running 'ipa hbacrule-del bug783286'
:: [   PASS   ] :: Running 'ipa hbacrule-add bug783286'
:: [   PASS   ] :: Running 'ipa hbacrule-add-user bug783286 --groups=group1'
:: [   PASS   ] :: Running 'ipa hbacrule-mod bug783286 --usercat=all > /tmp/tmp.KOndBQrJue/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.KOndBQrJue/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are allowed users'
:: [   PASS   ] :: Running 'cat /tmp/tmp.KOndBQrJue/bug783286.txt'
:: [   PASS   ] :: Running 'ipa group-del group1'
:: [   PASS   ] :: Running 'ipa hbacrule-del bug783286'
:: [   PASS   ] :: Running 'ipa user-del user1'
:: [   LOG    ] :: Duration: 1m 24s
:: [   LOG    ] :: Assertions: 27 good, 0 bad
:: [   PASS   ] :: RESULT: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups
report saved as: /tmp/rhts.report.17417.txt
================ final pass/fail report =================


Sudo tests:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=783286
:: [   PASS   ] :: Running 'echo Secret123 | ipa user-add shanks --first=shanks --last=r --password'
:: [   PASS   ] :: Running 'ipa group-add group1 --desc=group1'
:: [   PASS   ] :: Running 'ipa sudocmd-add /bin/ls'
:: [   PASS   ] :: Running 'ipa sudorule-add bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'User category: all'
:: [   PASS   ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt'
:: [   PASS   ] :: Running 'ipa sudorule-add-host bug783286 --hosts=primenova.lab.eng.pnq.redhat.com'
:: [   PASS   ] :: Running 'ipa sudorule-add-user bug783286 --users=shanks > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all''
:: [   PASS   ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt'
:: [   PASS   ] :: Running 'ipa sudorule-add-user bug783286 --groups=group1 > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: users cannot be added when user category='all''
:: [   PASS   ] :: Running 'cat /tmp/tmp.ZUxTcGGJ0m/bug783286.txt'
:: [   PASS   ] :: Running 'ipa sudorule-del bug783286'
:: [   PASS   ] :: Running 'ipa sudorule-add bug783286'
:: [   PASS   ] :: Running 'ipa sudorule-add-user bug783286 --users=shanks'
:: [   PASS   ] :: Running 'ipa sudorule-mod bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are users'
:: [   PASS   ] :: Running 'ipa sudorule-del bug783286'
:: [   PASS   ] :: Running 'ipa sudorule-add bug783286'
:: [   PASS   ] :: Running 'ipa sudorule-add-user bug783286 --groups=group1'
:: [   PASS   ] :: Running 'ipa sudorule-mod bug783286 --usercat=all > /tmp/tmp.ZUxTcGGJ0m/bug783286.txt 2>&1'
:: [   PASS   ] :: File '/tmp/tmp.ZUxTcGGJ0m/bug783286.txt' should contain 'ipa: ERROR: user category cannot be set to 'all' while there are users'
:: [   PASS   ] :: Running 'ipa group-del group1'
:: [   PASS   ] :: Running 'ipa user-del shanks'
:: [   PASS   ] :: Running 'ipa sudocmd-del /bin/ls'
:: [   PASS   ] :: Running 'ipa sudorule-del bug783286'
:: [   LOG    ] :: Duration: 1m 43s
:: [   LOG    ] :: Assertions: 27 good, 0 bad
:: [   PASS   ] :: RESULT: ipa bug 783286 - Setting HBAC/SUDO category to Anyone doesn't remove users/groups
report saved as: /tmp/rhts.report.3804.txt
================ final pass/fail report =================


Verified: ipa-server-2.2.0-8.el6.x86_64
Comment 6 Martin Kosek 2012-04-20 11:54:55 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 8 errata-xmlrpc 2012-06-20 13:30:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html