╤Є ├#xPc@sкddklZlZddklZlZlZddkTddklZddkl Z l Z e dГZde dГfZd ДZ d ДZdДZdДZd efdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZ eie Гde!fdДГYZ"eie"Гde#fd ДГYZ$eie$Гd!e!fd"ДГYZ%eie%Гd#e#fd$ДГYZ&eie&Гd%e!fd&ДГYZ'eie'Гd'e#fd(ДГYZ(eie(Гd)e!fd*ДГYZ)eie)Гd+e#fd,ДГYZ*eie*Гd-e!fd.ДГYZ+eie+Гd/e#fd0ДГYZ,eie,Гd1e!fd2ДГYZ-eie-Гd3e#fd4ДГYZ.eie.Гd5efd6ДГYZ/eie/Гd7efd8ДГYZ0eie0Гd9S(:i (tapiterrors(tStrtStrEnumtBool(t*(tis_all(t_tngettextsv Sudo Rules Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. FreeIPA provides a means to configure the various aspects of Sudo: Users: The user(s)/group(s) allowed to invoke Sudo. Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. Allow Command: The specific command(s) permitted to be run via Sudo. Deny Command: The specific command(s) prohibited to be run via Sudo. RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. Options: The various Sudoers Options that can modify Sudo's behavior. An order can be added to a sudorule to control the order in which they are evaluated (if the client supports it). This order is an integer and must be unique. FreeIPA provides a designated binddn to use with Sudo located at: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com To enable the binddn run the following command to set the password: LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com For more information, see the FreeIPA Documentation to Sudo. tsudos+Commands for controlling sudo configurationcCs"tid|dtdГГВdS(Ntnameterrors this option has been deprecated.(RtValidationErrorR(t attribute((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyt deprecated<scCstdГdS(Ntexternaluser(R(tugettexttvalue((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytvalidate_externaluser?scCstdГdS(Ntrunasexternaluser(R(RR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytvalidate_runasextuserBscCstdГdS(Ntrunasexternalgroup(R(RR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytvalidate_runasextgroupEstsudorulec!Bs╩eZdZeiiZedГZedГZ ddgZ ddddd d ddd ddddddddgZdZdZ hddgd6ddgd 6ddgd6ddgd6ddgd6dgd6ZedГZedГZeddd d!ed"Гd#eГed$dd%d!ed&ГГed'd!ed(Гd)d*gГed+dd,d!ed-Гd.ed/Гd0dtГed2dd3d!ed4Гd.ed5Гd0duГed6dd7d!ed8Гd.ed9Гd0dvГed:dd;d!ed<Гd.ed=Гd0dwГed>dd?d!ed@Гd.edAГd0dxГedBddCd!edDГd.edEГdFdGdHdGГedId!edJГd)dKdLdMgГedNd!edOГd)dKdLdMgГedPd!edQГd)dKdLdMgГedRd!edSГd)dKdLdMgГedTd!edUГd)dKdLdMgГedVd!edWГd)dKdLdMgГedXd!edYГd)dKdLdMgГedZd!ed[Гd)dKdLdMgГed\d!ed]Гd.ed^Гd)dKdLdMgГed_d!ed`Гd.edaГd)dKdLdMgГedbeddd!edcГd.eddГГedeeddfd!edgГd.edhГГedieddjd!edkГd.edlГГedmd!ednГd)dKdLdMgГedod!edpГd.edqГd)dKdLdMgГefZedrГZdsДZRS(ys Sudo Rule object. s sudo rules sudo rulestipaassociationtipasudoruletcntipaenabledflagRtdescriptiontusercategorythostcategorytcmdcategoryt memberusert memberhosttmemberallowcmdt memberdenycmdt ipasudoopttipasudorunastipasudorunasgrouptipasudorunasusercategorytipasudorunasgroupcategoryt sudoordertipauniqueidtusertgroupthostt hostgrouptsudocmdtsudocmdgroups Sudo Ruless Sudo Ruletcli_namet sudorule_nametlabels Rule nametprimary_keysdescription?tdesctDescriptionsipaenabledflag?tEnabledtflagst no_options usercategory?tusercats User categorytdocs!User category the rule applies totvaluesualls hostcategory?thostcats Host categorys!Host category the rule applies toscmdcategory?tcmdcatsCommand categorys$Command category the rule applies tosipasudorunasusercategory?trunasusercatsRunAs User categorys'RunAs User category the rule applies tosipasudorunasgroupcategory?t runasgroupcatsRunAs Group categorys(RunAs Group category the rule applies tos sudoorder?torders Sudo ordersinteger to order the Sudo rulestdefaultitminvaluesmemberuser_user?tUserst no_createt no_updatet no_searchsmemberuser_group?sUser Groupssmemberhost_host?tHostssmemberhost_hostgroup?sHost Groupssmemberallowcmd_sudocmd?sSudo Allow Commandssmemberdenycmd_sudocmd?sSudo Deny Commandssmemberallowcmd_sudocmdgroup?sSudo Allow Command Groupssmemberdenycmd_sudocmdgroup?sSudo Deny Command Groupssipasudorunas_user?sRunAs Userss Run as a usersipasudorunas_group?sGroups of RunAs Userss(Run as any user within a specified groups externaluser?s External Users6External User the rule applies to (sudorule-find only)sipasudorunasextuser?RsRunAs External Users:External User the commands can run as (sudorule-find only)sipasudorunasextgroup?RsRunAs External Groups;External Group the commands can run as (sudorule-find only)sipasudoopt?sSudo Optionsipasudorunasgroup_group?sRunAs Groupss+Run with the gid of a specified POSIX groupsAorder must be a unique value (%(order)d already used by %(rule)s)cOsМd|jo{|iid|dГd}t|ГdjoG|ddd}tiddd|ih|dd6|d6ГВqИndS( NR)tresultiRR RARtrule(tmethodstfindtlenRRtorder_not_unique_msg(tselftkeystoptionstentriest rule_name((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytcheck_order_uniquenessуs (uall(uall(uall(uall(uall(t__name__t __module__t__doc__Rtenvtcontainer_sudoruletcontainer_dnRtobject_nametobject_name_pluraltobject_classtdefault_attributestuuid_attributet rdn_attributetattribute_membersR3tlabel_singularRtTrueRRtIntRRRtexternal_host_paramttakes_paramsRNRT(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRHsю tsudorule_addcBs)eZedГZdДZedГZRS(sCreate new Sudo Rule.cOs!|ii||Оd|d<|S(NtTRUER(tobjRT(ROtldaptdntentry_attrst attrs_listRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytpre_callback°s sAdded Sudo Rule "%(value)s"(RURVRRWRntmsg_summary(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRgїs tsudorule_delcBs eZedГZedГZRS(sDelete Sudo Rule.sDeleted Sudo Rule "%(value)s"(RURVRRWRo(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRpstsudorule_modcBs)eZedГZedГZdДZRS(sModify Sudo Rule.sModified Sudo Rule "%(value)s"cOsd|joМ|idГ}|iii|dГd}d|jo<t|ddГ} | |jo|ii||ОqХqЩ|ii||Оny"|i||iiГ\} }Wn&t i j o|ii|МnXt|dГo)d|jot i dtdГГВnt|d Гo)d |jot i dtdГГВnt|dГo0d pd|jot i dtdГГВnt|dГo)d|jot i dtdГГВnt|dГo)d|jot i dtdГГВn|S(NR)i RIiRR treasonsBuser category cannot be set to 'all' while there are allowed usersRR!sBhost category cannot be set to 'all' while there are allowed hostsRR"tmemberdenywcmdsNcommand category cannot be set to 'all' while there are allow or deny commandsR'R%s@user runAs category cannot be set to 'all' while there are usersR(R&sBgroup runAs category cannot be set to 'all' while there are groups(tgetRtCommandt sudorule_showtintRiRTt get_entryR^RtNotFoundthandle_not_foundRtMutuallyExclusiveErrorR(RORjRkRlRmRPRQt new_ordert old_entryt old_ordert_dnt_entry_attrs((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRns0 " (RURVRRWRoRn(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRqst sudorule_findcBs&eZedГZedddГZRS(sSearch for Sudo Rule.s%(count)d Sudo Rule matcheds%(count)d Sudo Rules matchedi(RURVRRWRRo(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRБ1sRvcBseZedГZRS(sDisplay Sudo Rule.(RURVRRW(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRv;stsudorule_enablecBs&eZedГZdДZdДZRS(sEnable a Sudo Rule.cCsК|ii}|ii|Г}hdd6}y|i||ГWn;tij on'tij o|ii|ГnXtdt ГS(NRhRRI( Ritbackendtget_dntupdate_entryRtEmptyModlistRyRztdictRc(RORRjRkRl((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytexecuteDs cCs|itdГ|ГdS(NsEnabled Sudo Rule "%s"(tprint_dashedR(ROttextuiRIR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytoutput_for_cliSs(RURVRRWRИRЛ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRВAs tsudorule_disablecBs&eZedГZdДZdДZRS(sDisable a Sudo Rule.cCsК|ii}|ii|Г}hdd6}y|i||ГWn;tij on'tij o|ii|ГnXtdt ГS(NtFALSERRI( RiRГRДRЕRRЖRyRzRЗRc(RORRjRkRl((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRИ\s cCs|itdГ|ГdS(NsDisabled Sudo Rule "%s"(RЙR(RORКRIR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЛks(RURVRRWRИRЛ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRМYs tsudorule_add_allow_commandcBs,eZedГZdgZdZdДZRS(s;Add commands and sudo command groups affected by Sudo Rule.R"s%i object added.s%i objects added.c Os{y"|i||iiГ\}}Wn&tij o|ii|МnXt|dГotidtdГГВn|S(NRRrs4commands cannot be added when command category='all'( RxRiR^RRyRzRR{R( RORjRktfoundt not_foundRPRQRRА((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRnws"(s%i object added.s%i objects added.(RURVRRWtmember_attributestmember_count_outRn(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRОqs tsudorule_remove_allow_commandcBs#eZedГZdgZdZRS(s>Remove commands and sudo command groups affected by Sudo Rule.R"s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RURVRRWRСRТ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRУЕs tsudorule_add_deny_commandcBs,eZedГZdgZdZdДZRS(s;Add commands and sudo command groups affected by Sudo Rule.R#s%i object added.s%i objects added.c Os{y"|i||iiГ\}}Wn&tij o|ii|МnXt|dГotidtdГГВn|S(NRRrs4commands cannot be added when command category='all'( RxRiR^RRyRzRR{R( RORjRkRПRРRPRQRRА((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRnФs"(s%i object added.s%i objects added.(RURVRRWRСRТRn(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRФОs tsudorule_remove_deny_commandcBs#eZedГZdgZdZRS(s>Remove commands and sudo command groups affected by Sudo Rule.R#s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RURVRRWRСRТ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRХбs tsudorule_add_usercBs5eZedГZdgZdZdДZdДZRS(s+Add users and groups affected by Sudo Rule.R s%i object added.s%i objects added.c OsНy"|i||iiГ\}}Wn&tij o|ii|МnXt|dГotidtdГГВnt d||||ГS(NRRrs.users cannot be added when user category='all'R+( RxRiR^RRyRzRR{Rtadd_external_pre_callback( RORjRkRПRРRPRQRRА((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRn░s"cOs%tddd|||||||Г S(NR R+R(tadd_external_post_callback(RORjt completedtfailedRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyt post_callback║s(s%i object added.s%i objects added.(RURVRRWRСRТRnRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЦкs tsudorule_remove_usercBs,eZedГZdgZdZdДZRS(s.Remove users and groups affected by Sudo Rule.R s%i object removed.s%i objects removed.cOs%tddd|||||||Г S(NR R+R(tremove_external_post_callback(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫ╟s(s%i object removed.s%i objects removed.(RURVRRWRСRТRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЬ┴s tsudorule_add_hostcBs5eZedГZdgZdZdДZdДZRS(s/Add hosts and hostgroups affected by Sudo Rule.R!s%i object added.s%i objects added.c OsНy"|i||iiГ\}}Wn&tij o|ii|МnXt|dГotidtdГГВnt d||||ГS(NRRrs.hosts cannot be added when host category='all'R-( RxRiR^RRyRzRR{RRЧ( RORjRkRПRРRPRQRRА((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRn╘s"cOs%tddd|||||||Г S(NR!R-texternalhost(RШ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫ▐s(s%i object added.s%i objects added.(RURVRRWRСRТRnRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЮ╬s tsudorule_remove_hostcBs,eZedГZdgZdZdДZRS(s2Remove hosts and hostgroups affected by Sudo Rule.R!s%i object removed.s%i objects removed.cOs%tddd|||||||Г S(NR!R-RЯ(RЭ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫыs(s%i object removed.s%i objects removed.(RURVRRWRСRТRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRахs tsudorule_add_runasusercBs5eZedГZdgZdZdДZdДZRS(s,Add users and groups for Sudo to execute as.R%s%i object added.s%i objects added.cOsvdД}y"|i||iiГ\}} Wn&tij o|ii|МnXt| dГpt| dГotidtdГГВnd|jo[xX|dD]H} || Гp5ti ddd t td ГГtd| ГГВqиqиWnd|jo[xX|dD]H} || Гp5ti ddd t tdГГtd| ГГВqqWntd||||ГS( NcSs(t|Г}|iГdjotStS(NuALL(tunicodetuppertFalseRc(trunastv((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytcheck_validity∙sR'R(RrsCusers cannot be added when runAs user or runAs group category='all'R+R s runas-userRs3RunAsUser does not accept '%(name)s' as a user nameR,s4RunAsUser does not accept '%(name)s' as a group name( RxRiR^RRyRzRR{RRRвRЗRЧ(RORjRkRlRmRPRQRзRRАR ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRnўs. " cOs%tddd|||||||Г S(NR%R+tipasudorunasextuser(RШ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫs(s%i object added.s%i objects added.(RURVRRWRСRТRnRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRбёs tsudorule_remove_runasusercBs,eZedГZdgZdZdДZRS(s/Remove users and groups for Sudo to execute as.R%s%i object removed.s%i objects removed.cOs%tddd|||||||Г S(NR%R+Rи(RЭ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫ#s(s%i object removed.s%i objects removed.(RURVRRWRСRТRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRйs tsudorule_add_runasgroupcBs5eZedГZdgZdZdДZdДZRS(s!Add group for Sudo to execute as.R&s%i object added.s%i objects added.cOsdД}y"|i||iiГ\}} Wn&tij o|ii|МnXt| dГpt| dГotidtdГГВnd|jo[xX|dD]H} || Гp5ti ddd t td ГГtd| ГГВqиqиWntd||||ГS(NcSs(t|Г}|iГdjotStS(NuALL(RвRгRдRc(RеRж((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRз2sR'R(RrsCusers cannot be added when runAs user or runAs group category='all'R,R srunas-groupRs5RunAsGroup does not accept '%(name)s' as a group name( RxRiR^RRyRzRR{RRRвRЗRЧ(RORjRkRlRmRPRQRзRRАR ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRn0s " cOs%tddd|||||||Г S(NR&R,tipasudorunasextgroup(RШ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫIs(s%i object added.s%i objects added.(RURVRRWRСRТRnRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRк*s tsudorule_remove_runasgroupcBs,eZedГZdgZdZdДZRS(s$Remove group for Sudo to execute as.R&s%i object removed.s%i objects removed.cOs%tddd|||||||Г S(NR&R,Rл(RЭ(RORjRЩRЪRkRlRPRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЫVs(s%i object removed.s%i objects removed.(RURVRRWRСRТRЫ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRмPs tsudorule_add_optioncBsGeZedГZeddddedГГfZdДZdДZRS(sAdd an option to the Sudo Rule.R$R1t sudooptionR3sSudo OptioncKs_|ii}|ii|Г}|diГptiГВn|i|dgГ\}}yC|d|djo!|idgГi|dГn ti ВWn0t j o$|idgГi|dГnXy|i||ГWn;tij on'tij o|ii |ГnX|ii}|i||d|iiГ\}}td|ГS(NR$t normalizeRI(RiRГRДtstripRRЖRxt setdefaulttappendtDuplicateEntrytKeyErrorRЕRyRzR^tnormalize_dnRЗ(RORRQRjRkRlRm((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRИgs. cKsM|itdГtd|dd|ГГtt|Гi||||ГdS(Ns1Added option "%(option)s" to Sudo Rule "%(rule)s"toptionR$RJ(RЙRRЗtsuperRнRЛ(RORКRIRRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЛЗs(RURVRRWRt takes_optionsRИRЛ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRн]s tsudorule_remove_optioncBsGeZedГZeddddedГГfZdДZdДZRS(s Remove an option from Sudo Rule.R$R1RоR3sSudo Optionc Ksh|ii}|ii|Г}|diГptiГВn|i|dgГ\}}yf|d|djo1|idgГi|dГ|i ||Гnti ddd|dГВWnhtj o }nUtj o#ti ddd|dГВn'ti j o|ii|ГnX|ii}|i||d|iiГ\}}td|ГS(NR$tattrRRпRI(RiRГRДR░RRЖRxR▒tremoveRЕtAttrValueNotFoundt ValueErrorR┤RyRzR^R╡RЗ(RORRQRjRkRlteRm((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRИЫs2 cKsM|itdГtd|dd|ГГtt|Гi||||ГdS(Ns5Removed option "%(option)s" from Sudo Rule "%(rule)s"R╢R$RJ(RЙRRЗR╖R╣RЛ(RORКRIRRQ((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyRЛ╛s(RURVRRWRR╕RИRЛ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pyR╣Сs #N(1tipalibRRRRRtipalib.plugins.baseldaptipalib.plugins.hbacruleRRRRWttopicRRRRt LDAPObjectRtregistert LDAPCreateRgt LDAPDeleteRpt LDAPUpdateRqt LDAPSearchRБtLDAPRetrieveRvt LDAPQueryRВRМt LDAPAddMemberRОtLDAPRemoveMemberRУRФRХRЦRЬRЮRаRбRйRкRмRнR╣(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.pytsn к " ) # 1 2