Alexander Bokovoy wrote:
Hi,
FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.
The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL or all arguments
are empty.
Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496
One thing I'm not sure about is blocking all variants of the reserved
word 'ALL'. The patch blocks them all due to the fact that most likely
any of 'all', 'All', 'ALL', 'aLL', and so on are mistyping but there
are might be valid cases when group or user is called 'all'.
Then runasuser check reports runas-group as the attribute name, I think
it should still be runas-user even though it is a group of users.
Other member commands don't consider it an error to provide any actual
members, it treats it as a no-op. We should probably be consistent.
It would probably be better to return the value as passed in by the user
rather than user[0].value.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
