The sudo compat plugin should allow for the presence of: Command Category: ALL AND sudoCommand: !/usr/bin/less
Currently the plugin is set to overwrite any other sudoCommand attribute in favor of just 'ALL'
The plugin should continue to supersede 'permit' commands, but it should not override 'deny' commands.
Nalin has suggested the following:
If I'm reading you right, I expect these lines:
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")'
... will no longer be omitting 'memberDenyCmd' values when 'cmdCategory' matches 'all', so they'll be replaced with:
add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd") add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")
... meanwhile, the two lines that precede them, conditionally expanding the 'memberAllowCmd' attribute, would stay the same.
Cheers,
Nalin
attachment freeipa-jraquino-0014-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch
Added patch and emailed freeipa-devel
Error Correction for the previous patch. freeipa-jraquino-0014-2-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch
There was an oversight in the previous patch. It incorrectly included a line from patch 13. This has been corrected in the new attached patch
Patch has been ack and pushed into master.
commit 5a0c937 Author: Jr Aquino jr.aquino@citrix.com Date: Tue Jan 11 07:32:55 2011 -0800
Metadata Update from @jraquino: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.