On Mon, Jul 14, 2014 at 02:33:48PM +0200, Pavel Březina wrote:
From ed3093d513e54c377fcaf3234bc54e5143027da0 Mon Sep 17 00:00:00
2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina(a)redhat.com>
Date: Mon, 14 Jul 2014 14:23:50 +0200
Subject: [PATCH] sudo: fetch sudoRunAs attribute
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.
This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.
Good idea. In my testing, once there is both RunAsUser and RunAs, only
RunAsUser is read by sudo (which is what I'd expect).
The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.
This too.
>
> Resolves:
ACK. I tested with this record:
objectClass: sudoRole
objectClass: top
sudoUser: tuser
sudoHost: ALL
sudoCommand: /usr/bin/touch
cn: touchrule
sudoRunAs: jhrozek
sudoRunAsUser: lcl
I was able to run:
sudo -u lcl /usr/bin/touch /tmp/somefile
but not:
sudo -u jhrozek /usr/bin/touch /tmp/somefile
Once I removed sudoRunAsUser, I was able to run sudo as jhrozek.