Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1066572
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: In IdM, we can not set up a Sudo Rule which can be runned as a External Group. Whereas we can set external users but can't set external groups.
I did few tests and this indeed does not work even though SSSD/sudo supports it:
I also test this feature and this is a gap on FreeIPA side. When I manually edited ou=sudoers and added a local group (vmusers), SSSD and sudo was able to process it: $ id uid=932000000(admin) gid=932000000(admins) groups=932000000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ sudo -l User admin may run the following commands on this host: (tuser, %foo, %vmusers : wheel) /usr/bin/less foo is FreeIPA group with "fbar" as a group member, vmusers is a local group with "mkosek" as a group member. I was able to run the SUDO command as all tuser, fbar and mkosek users: $ sudo -u mkosek /usr/bin/less /etc/passwd ... reads the file
We will need to:
ipaSudoRunAsExtUser
sudoRunAsUser
ou=sudoers,SUFFIX
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1080844
Another ticket with missing sudo functionality: #4274
Starting review
Patch is already on review - Tomas forgot to switch the flag.
pushed to master as part of sudorule enhancements:
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Login to comment on this ticket.