freeipa

Clone
Source Code
GIT

#4274 IPA server does not allow sudo host network filters
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1080209

Description of problem:
Attempting to set a subnet in an external host filter for a sudo rule fails
with "IPA Error 3009".


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.2.x86_64


Steps to Reproduce:
1. Create a sudo rule
2. Add "10.0.0.0/8" as an external host.
3.

Actual results:
IPA Error 3009
invalid 'host': only letters, numbers, _, and - are allowed. DNS label may not
start or end with -


Expected results:
success


Additional info:
The sudoers man page defines a host filter as:
Host ::= '!'* host name |
         '!'* ip_addr |
         '!'* network(/netmask)? |
         '!'* +netgroup |
         '!'* Host_Alias

The sudoers.ldap man page even says the 'sudoHost' LDAP attribute supports "IP
network".

Thus "10.0.0.0/8" should be accepted as a valid host filter.

Another ticket with missing sudo functionality: #4263

Original design that mentions hostmask but which was not implemented: http://www.freeipa.org/page/FreeIPAv2:SUDO_Schema_Design

Starting review

pushed to master as part of sudorule enhancements:

  • 5a1207c sudorule: PEP8 fixes in sudorule.py
  • fix: a228d7a sudorule: Allow using hostmasks for setting allowed hosts
  • 9304b64 sudorule: Allow using external groups as groups of runAsUsers
  • 3a56b15 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
  • c7da22c sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
  • af2eb4d sudorule: Allow adding deny commands when command category set to ALL
  • 9bb88a1 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
  • a1d6c9a sudorule: Fix the order of the parameters to have less chaotic output
  • b1275c5 sudorule: Enforce category ALL checks on dirsrv level
  • d537da8 ipatests: test_sudo: Add tests for allowing hosts via hostmasks
  • c50d190 ipatests: test_sudo: Add coverage for external entries
  • ec2050b ipatests: test_sudo: Add coverage for category ALL validation
  • e0fd269 ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
  • 701f1fc ipatests: test_sudo: Do not expect enumeration of runasuser groups
  • e7969f5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
  • af4518b sudorule: Refactor add and remove external_post_callback

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 Backlog
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
pviktori
None
https://bugzilla.redhat.com/show_bug.cgi?id=1080209
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.