-
Notifications
You must be signed in to change notification settings - Fork 2
cleanup 024
Christian Stankowic edited this page May 18, 2017
·
2 revisions
In ipa-sudo-basic-rules.py version 0.2.4 several commands for displaying files were moved to new sections. The reason for this is that those utilities are no conventional shells even they can be used for this. Moving those commands to dedicated groups enables the administrator to grant permissions more detailed. It is advisable only to enable those commands for sudo with the noexec parameter.
When upgrading from an older version make sure to cleanup (re)moved commands:
$ ipa sudocmdgroup-remove-member shells --sudocmds=/bin/more --sudocmds=/bin/vi --sudocmds=/bin/vim --sudocmds=/bin/view --sudocmds=/bin/find --sudocmds=/usr/bin/bzless --sudocmds=/usr/bin/bzmore --sudocmds=/usr/bin/lzless --sudocmds=/usr/bin/lzmore --sudocmds=/usr/bin/xzless --sudocmds=/usr/bin/xzmore --sudocmds=/usr/bin/zless --sudocmds=/usr/bin/zmore --sudocmds=/usr/sbin/vipw --sudocmds=/usr/sbin/vipw --sudocmds=/usr/sbin/visudo --sudocmds=/bin/more --sudocmds=/usr/bin/less
$ ipa sudocmdgroup-remove-member editors --sudocmds=/bin/rvi --sudocmds=/bin/rvim --sudocmds=/bin/rview