JR Aquino wrote:
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Dmitri Pal wrote:
>>> Dmitri Pal wrote:
>>>
> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
> any Allow-IPASudoRules ?
>
>
>
So it looks like current schema would not fl
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Dmitri Pal wrote:
>>> Dmitri Pal wrote:
>>>
> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
> any Allow-IPASudoRules ?
>
>
>
So it looks like current schema would not fl
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies t
Dmitri Pal wrote:
> Dmitri Pal wrote:
>
>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
>>> Allow-IPASudoRules ?
>>>
>>>
>>>
>> So it looks like current schema would not fly well with SUDO due to SUDO
>> bug/feature. SUDO will match just any first
Dmitri Pal wrote:
>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
>> Allow-IPASudoRules ?
>>
>>
> So it looks like current schema would not fly well with SUDO due to SUDO
> bug/feature. SUDO will match just any first rule that satisfies the
> user-hpost-comma
> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
> Allow-IPASudoRules ?
>
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command combination but we can't guaran
> btw. I cannot reproduce your issue where a command is denied where only
> user and host is matching, can you give an example where this is
> happening? Thanks
I retract my previous statement and stand corrected:
I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving
as w
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote:
> I agree, I only made the suggestion about the IPA server, because I
> think that this "feature" is a bug in the current sudo code base, an
> annoying bug at best and a serious security issue at worst.
It is both a bug and a security concern... one
> On Sep 30, 2010, at 6:17 AM,
> mailto:freeipa-devel-requ...@redhat.com>>
> mailto:freeipa-devel-requ...@redhat.com>>
> wrote:
>
> I think this behaviour is a contradiction to 'paranoid behavior'. I
> think that instead of
>
> 'If there are conflicting command rules on an entry, the negative
On Sep 30, 2010, at 6:17 AM,
mailto:freeipa-devel-requ...@redhat.com>>
mailto:freeipa-devel-requ...@redhat.com>>
wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are conflicting command rules on an entry, the negative takes
precedence.'
Todd was able to confirm this for me...
On Sep 29, 2010, at 9:06 PM, Dmitri Pal wrote:
I was aware of this writeup however I did not read it as there is a
problem when there are multiple rules with negation. It actually nowhere
says how SUDO handles multiple rules if they are mutually exclusive.
E
On Thu, Sep 30, 2010 at 12:06:01AM -0400, Dmitri Pal wrote:
> JR Aquino wrote:
> > I have encountered and troubleshot several instances recently where a user
> > was present in more than 1 sudo rule. One that permitted the user, the
> > host, and commands, and another that permited the user, and
JR Aquino wrote:
> I have encountered and troubleshot several instances recently where a user
> was present in more than 1 sudo rule. One that permitted the user, the host,
> and commands, and another that permited the user, and host, but no commands.
>
> It was discovered that:
> * Sudo is a s
I have encountered and troubleshot several instances recently where a user was
present in more than 1 sudo rule. One that permitted the user, the host, and
commands, and another that permited the user, and host, but no commands.
It was discovered that:
* Sudo is a stop on first match...
* When
JR Aquino wrote:
> I believe we have made an oversight in the way that sudo processes 'deny' or
> negations via ldap...
>
> Currently our IPA sudo Schema has ipasudorule objects set to contain an
> attribute: accessRuleType
>
> Unfortunately, sudo does not have a means to do a 'deny' in this way.
I believe we have made an oversight in the way that sudo processes 'deny' or
negations via ldap...
Currently our IPA sudo Schema has ipasudorule objects set to contain an
attribute: accessRuleType
Unfortunately, sudo does not have a means to do a 'deny' in this way...
For a command, user, or h
17 matches
Mail list logo
