JR Aquino wrote:
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede
any Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
Dmitri Pal wrote:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command
On Sep 30, 2010, at 6:17 AM,
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are
On Sep 30, 2010, at 6:17 AM,
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com
wrote:
I think this behaviour is a contradiction to 'paranoid behavior'. I
think that instead of
'If there are
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote:
I agree, I only made the suggestion about the IPA server, because I
think that this feature is a bug in the current sudo code base, an
annoying bug at best and a serious security issue at worst.
It is both a bug and a security concern... one that
btw. I cannot reproduce your issue where a command is denied where only
user and host is matching, can you give an example where this is
happening? Thanks
I retract my previous statement and stand corrected:
I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving
as we
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any
Allow-IPASudoRules ?
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command combination but we can't