RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 883408 - Make it clear that ldap_sudo_include_regexp can only handle wildcards
Summary: Make it clear that ldap_sudo_include_regexp can only handle wildcards
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 888457
TreeView+ depends on / blocked
 
Reported: 2012-12-04 14:12 UTC by Nikolai Kondrashov
Modified: 2020-05-02 17:08 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.2-41.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:41:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2732 0 None None None 2020-05-02 17:08:52 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Nikolai Kondrashov 2012-12-04 14:12:21 UTC
Description of problem:
The "ldap_sudo_include_regexp" option is named incorrectly, because sudo doesn't actually support regular expressions (as in, e.g. perl-compatible regular expressions) for configuration, but instead shell-like wildcards. In particular, sudoers(5) states about wildcards: "Note that these are not regular expressions."

This results in confusion.

The option would better be named "ldap_sudo_include_wildcards" or "ldap_sudo_include_glob" and documentation should be updated accordingly. Namely:

1. sssd-sudo(5) - change "regular expression" to "wildcards" or "glob characters".
2. sssd-ldap(5) - the description of the option in question.

Version-Release number of selected component (if applicable):
sssd-1.9.2-30.el6.x86_64
libsss_sudo-1.9.2-30.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-client-1.9.2-30.el6.x86_64
libsss_idmap-1.9.2-30.el6.x86_64

Comment 2 Pavel Březina 2012-12-04 14:36:57 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1690

Comment 4 Nikolai Kondrashov 2012-12-14 13:25:50 UTC
Verified *unfixed* with the following packages:

sssd-client-1.9.2-41.el6.x86_64
libsss_idmap-1.9.2-41.el6.x86_64
libsss_sudo-1.9.2-41.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-41.el6.x86_64

The option is *not* renamed and sssd-ldap(5) still shows the old name.

Comment 5 Jakub Hrozek 2012-12-14 14:24:02 UTC
That was not the point of the patch. Sorry, I should have been more clear. 

We can't rename the option just like that. There may be people using the option already. For 6.4, the only thing we could do was be clear in the man page that the option only supports wildcards, not regexes. For a later release, we will provide a new option ldap_sudo_include_wildcard that would be the preferred one and anybody who will use ldap_sudo_include_regexp will get a warning.

For 6.4, the verification only amounts to checking that the manpage says wildcard, not regexp.

Comment 6 Nikolai Kondrashov 2012-12-14 14:38:05 UTC
I can confirm that documentation was updated to use "wildcards" instead of "regular expressions".

Otherwise this bug cannot be closed as fixed yet.

Comment 7 Jakub Hrozek 2012-12-14 14:58:49 UTC
We won't be doing anything else except the docs fix in 6.4. Tracking that is the purpose of this bugzilla.

The rest of the work is being tracked in the upstream ticket https://fedorahosted.org/sssd/ticket/1707 and will be cloned as appropriate.

Comment 8 Nikolai Kondrashov 2012-12-14 15:01:27 UTC
OK. What will be tracking renaming of the option, then? Shall we make another bug for renaming, or maybe another bug for documentation fix?

Comment 9 Dmitri Pal 2012-12-14 15:02:37 UTC
Yes this should be closed as verified. The real fix will be done some time later when we address the ticket above.
Please flip it back to ON_QE.

Comment 10 Nikolai Kondrashov 2012-12-14 15:05:00 UTC
Verified fixed with the following packages:

sssd-client-1.9.2-41.el6.x86_64
libsss_idmap-1.9.2-41.el6.x86_64
libsss_sudo-1.9.2-41.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-41.el6.x86_64

Comment 11 errata-xmlrpc 2013-02-21 09:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.