freeipa

Clone
Source Code
GIT

#3226 [RFE] ipa sudorule-add-user should accept more types of characters
Closed: fixed 3 years ago by rcritten. Opened 11 years ago by dpal.

Closed: fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=871208 (Red Hat Enterprise Linux 6)

Description of problem:

ipa sudorule-add-user restricts users names to a limited variety of characters.
At the very least @ and \ should be included to cover username conventions used
for AD trusted users.  When I try now, I see this:

[root@rhel6-1 failure1]#  ipa sudorule-add-user testrule
--users=adtestuser1@adtestdom.com
ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $

In addition Simo mentioned in an email:

We should allow any character in this case.
These are external user/group names, we do not have any control on them.

If I want to add the user ?test@foo^^bar in /etc/passwd then I should be
allowed to use it in a sudo rule

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-106.20121026T1837zgitf14dd98.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Master
2.  ipa sudorule-add testrule
3.  ipa sudorule-add-user --users=test@domain.com

Actual results:
error listed above

Expected results:
success

Additional info:

After Sumit brought up a good point, I'm modifying this request.

Instead of modifying --users option functionality, I'd like to request a new --external (or similar) option. This will allow a distinction between adding IPA users and External ones coming from other sources like AD.

I'd think we'd keep the option similar to the group-add one used when adding AD groups/users to a group in IPA.

Changing 3.2 priority

Releasing tickets from distant milestones.

IPA already distinguishes between home IPA users and external users, no new option was added. The validation is still strict though:

# ipa sudorule-add-user test --users "external@ad.domain.test"
ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $

# ipa sudorule-add-user test --users "external"
  Rule name: test
  Enabled: TRUE
  Host category: all
  External User: foouser, external
  Sudo Allow Commands: /usr/bin/yum, /bin/mv
-------------------------
Number of members added 1
-------------------------

This looks as a basic use case for SUDO, lets move it to earlier release.

FreeIPA 4.2.1 was released, moving to 4.2.x.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

Raven grooming:

  • there is already ability to add an external user (in terms of not existing in IPA LDAP) but it is prevented by a validation rule for 'uid' param as described in https://www.redhat.com/archives/freeipa-devel/2015-May/msg00499.html
  • the scope for this bug is to allow not checking the validation when 'uid' param is used within sudo commands.

Metadata Update from @abbra:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
3 years ago

Metadata Update from @abbra:
- Issue assigned to abbra (was: someone)
- Issue set to the milestone: FreeIPA 4.9
- Issue tagged with: trust
3 years ago

master:

  • afcb060 Add design document for using AD users/groups in SUDO rules
  • 172e4b9 baseldap: refactor validator support in add_external_pre_callback
  • 5fae809 baseldap: when adding external objects, differentiate between them and failures
  • 0ffdfc7 idviews: add extended validator for users from trusted domains
  • a37db29 sudorule-add-user: allow to reference users and groups from trusted domains directly
  • 349322e sudorule runAs: allow to add users and groups from trusted domains directly
  • 09e06e0 ipatests: fix test_sudorule_plugin's wrong argument use
  • 642b81e test_trust: add tests for using AD users and groups in SUDO rules
  • c91a1a0 ipatests: when talking to AD DCs, use FQDN credentials
  • 08d7209 baseldap: allow rejecting unknown objects instead of adding to an external attr

ipa-4-9:

  • 16b30cb Add design document for using AD users/groups in SUDO rules
  • 132d7fb baseldap: refactor validator support in add_external_pre_callback
  • ffc2edf baseldap: when adding external objects, differentiate between them and failures
  • a3563d1 idviews: add extended validator for users from trusted domains
  • 054a068 sudorule-add-user: allow to reference users and groups from trusted domains directly
  • 78043bf sudorule runAs: allow to add users and groups from trusted domains directly
  • f4d3c91 ipatests: fix test_sudorule_plugin's wrong argument use
  • a7c56fd test_trust: add tests for using AD users and groups in SUDO rules
  • 64b70be ipatests: when talking to AD DCs, use FQDN credentials
  • 51ca387 baseldap: allow rejecting unknown objects instead of adding to an external attr

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata

trust

None
None
normal
None
None
None
None
enhancement
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=871208
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.