diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 14:48:07 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:51 +0200 |
| commit | b1275c5b1c2038c9769377e9cf0afe04139d1d8d (patch) | |
| tree | 9de08018a9573e859ff931655406f5fae9537186 | |
| parent | a1d6c9ab6b710076902c1dd8ffcdec96b2538c21 (diff) | |
| download | freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.tar.gz freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.tar.xz freeipa-b1275c5b1c2038c9769377e9cf0afe04139d1d8d.zip | |
sudorule: Enforce category ALL checks on dirsrv level
https://fedorahosted.org/freeipa/ticket/4341
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
| -rw-r--r-- | install/share/schema_compat.uldif | 11 | ||||
| -rw-r--r-- | install/updates/10-schema_compat.update | 10 |
2 files changed, 16 insertions, 5 deletions
diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index b5f61bb10..6de812fb0 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -89,14 +89,15 @@ add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+ add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +# memberDenyCmds are to be allowed even if cmdCategory is set to ALL add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")' add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")' -add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' -add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' -add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")' -add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' -add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 7c362105d..aeddadbe3 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -4,10 +4,20 @@ add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","% add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' # Fix for #4324 (regression of #1309) remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' +remove:schema-compat-entry-attribute:'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' # We need to add the value in a separate transaction dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")' +add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. |