Red Hat Bugzilla – Bug 883408
Make it clear that ldap_sudo_include_regexp can only handle wildcards
Last modified: 2013-02-21 04:41:57 EST
Description of problem: The "ldap_sudo_include_regexp" option is named incorrectly, because sudo doesn't actually support regular expressions (as in, e.g. perl-compatible regular expressions) for configuration, but instead shell-like wildcards. In particular, sudoers(5) states about wildcards: "Note that these are not regular expressions." This results in confusion. The option would better be named "ldap_sudo_include_wildcards" or "ldap_sudo_include_glob" and documentation should be updated accordingly. Namely: 1. sssd-sudo(5) - change "regular expression" to "wildcards" or "glob characters". 2. sssd-ldap(5) - the description of the option in question. Version-Release number of selected component (if applicable): sssd-1.9.2-30.el6.x86_64 libsss_sudo-1.9.2-30.el6.x86_64 sudo-1.8.6p3-6.el6.x86_64 sssd-client-1.9.2-30.el6.x86_64 libsss_idmap-1.9.2-30.el6.x86_64
Upstream ticket: https://fedorahosted.org/sssd/ticket/1690
Verified *unfixed* with the following packages: sssd-client-1.9.2-41.el6.x86_64 libsss_idmap-1.9.2-41.el6.x86_64 libsss_sudo-1.9.2-41.el6.x86_64 sudo-1.8.6p3-6.el6.x86_64 sssd-1.9.2-41.el6.x86_64 The option is *not* renamed and sssd-ldap(5) still shows the old name.
That was not the point of the patch. Sorry, I should have been more clear. We can't rename the option just like that. There may be people using the option already. For 6.4, the only thing we could do was be clear in the man page that the option only supports wildcards, not regexes. For a later release, we will provide a new option ldap_sudo_include_wildcard that would be the preferred one and anybody who will use ldap_sudo_include_regexp will get a warning. For 6.4, the verification only amounts to checking that the manpage says wildcard, not regexp.
I can confirm that documentation was updated to use "wildcards" instead of "regular expressions". Otherwise this bug cannot be closed as fixed yet.
We won't be doing anything else except the docs fix in 6.4. Tracking that is the purpose of this bugzilla. The rest of the work is being tracked in the upstream ticket https://fedorahosted.org/sssd/ticket/1707 and will be cloned as appropriate.
OK. What will be tracking renaming of the option, then? Shall we make another bug for renaming, or maybe another bug for documentation fix?
Yes this should be closed as verified. The real fix will be done some time later when we address the ticket above. Please flip it back to ON_QE.
Verified fixed with the following packages: sssd-client-1.9.2-41.el6.x86_64 libsss_idmap-1.9.2-41.el6.x86_64 libsss_sudo-1.9.2-41.el6.x86_64 sudo-1.8.6p3-6.el6.x86_64 sssd-1.9.2-41.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html