Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-05 Thread Rob Crittenden
JR Aquino wrote: On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-04 Thread JR Aquino
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-04 Thread JR Aquino
On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: Dmitri Pal wrote: Dmitri Pal wrote: Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-10-03 Thread Dmitri Pal
Dmitri Pal wrote: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO bug/feature. SUDO will match just any first rule that satisfies the user-hpost-command

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
On Sep 30, 2010, at 6:17 AM, freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com wrote: I think this behaviour is a contradiction to 'paranoid behavior'. I think that instead of 'If there are

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread Sumit Bose
On Sep 30, 2010, at 6:17 AM, freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com wrote: I think this behaviour is a contradiction to 'paranoid behavior'. I think that instead of 'If there are

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
On Sep 30, 2010, at 9:37 AM, Sumit Bose wrote: I agree, I only made the suggestion about the IPA server, because I think that this feature is a bug in the current sudo code base, an annoying bug at best and a serious security issue at worst. It is both a bug and a security concern... one that

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread JR Aquino
btw. I cannot reproduce your issue where a command is denied where only user and host is matching, can you give an example where this is happening? Thanks I retract my previous statement and stand corrected: I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving as we

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread Dmitri Pal
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? So it looks like current schema would not fly well with SUDO due to SUDO bug/feature. SUDO will match just any first rule that satisfies the user-hpost-command combination but we can't