871208 – ipa sudorule-add-user should accept external users

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 871208 - ipa sudorule-add-user should accept external users

Summary: ipa sudorule-add-user should accept external users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-29 22:33 UTC by Scott Poore
Modified:	2021-10-25 18:33 UTC (History)
CC List:	19 users (show)
Fixed In Version:	ipa-4.9.1-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:47:45 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 3226	None	None	None	2021-01-19 10:47:13 UTC
Red Hat Issue Tracker	FREEIPA-7169	None	None	None	2021-10-25 18:33:54 UTC
Red Hat Issue Tracker	RHELPLAN-18303	None	None	None	2021-10-25 18:33:53 UTC

Description Scott Poore 2012-10-29 22:33:01 UTC

Description of problem:

ipa sudorule-add-user restricts users names to a limited variety of characters.  At the very least @ and \ should be included to cover username conventions used for AD trusted users.  When I try now, I see this:

[root@rhel6-1 failure1]#  ipa sudorule-add-user testrule --users=adtestuser1
ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $

In addition Simo mentioned in an email:

We should allow any character in this case.
These are external user/group names, we do not have any control on them.

If I want to add the user ätest@foo^^bar in /etc/passwd then I should be
allowed to use it in a sudo rule

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-106.20121026T1837zgitf14dd98.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Master
2.  ipa sudorule-add testrule
3.  ipa sudorule-add-user --users=test
  
Actual results:
error listed above

Expected results:
success

Additional info:

Comment 2 Dmitri Pal 2012-10-29 23:27:36 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3226

Comment 3 Scott Poore 2012-10-30 14:53:10 UTC

After Sumit brought up a good point, I'm modifying this request.

Instead of modifying --users option functionality, I'd like to request a new --external (or similar) option.  This will allow a distinction between adding IPA users and External ones coming from other sources like AD.

I'd think we'd keep the option similar to the group-add one used when adding AD groups/users to a group in IPA.

Comment 7 Petr Vobornik 2017-02-23 15:12:45 UTC

The bugzilla doesn't have high enough priority in comparison to other bugs/RFEs for 7.4. Moving to next release. Without sufficient justification it can be moved again later.

Comment 20 Rob Crittenden 2021-01-26 18:07:14 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/afcb06006c46073838ca196ac6d235854c91b854
https://pagure.io/freeipa/c/172e4b977048af7cdb244b52aec08a024749962e
https://pagure.io/freeipa/c/5fae809d921c58b6450d4d10f46b9013e1e31da1
https://pagure.io/freeipa/c/0ffdfc70f26e6f863c69c2ff03219e96dd5fd618
https://pagure.io/freeipa/c/a37db297f036390c6b75eca77fa88422df4f51a0
https://pagure.io/freeipa/c/349322e3fb6da88a964d53e6f157743b29e40d30
https://pagure.io/freeipa/c/09e06e05641be5e71d5a1a6a273cb0c3c0c4531b
https://pagure.io/freeipa/c/642b81e99f6f267c2c24a47816a2f9ae7464a858
https://pagure.io/freeipa/c/c91a1a078aea9996d30854ede1ce266f74a6176f
https://pagure.io/freeipa/c/08d720982876926ba555b94fdde6c84469b20868

Comment 21 Rob Crittenden 2021-01-26 21:32:34 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c
https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb
https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3
https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884
https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae
https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98
https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e
https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8
https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647

Comment 22 Alexander Bokovoy 2021-01-27 09:44:22 UTC

Upstream design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-objects.html

Comment 28 Michal Polovka 2021-02-02 11:25:10 UTC

Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 and ipa-server-trust-ad-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build.

Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_users
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_groups	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser_group
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasgroup

Full test log is available as an attachment of this BZ.

Comment 31 errata-xmlrpc 2021-05-18 15:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.