[Freeipa-users] Re: Order of sudo rule precedence when all rules have undefined order values?

Hi -- We have a number of sudo rules configured that conflict with each other with no defined "Sudo Order" value. Notably, there is a rule that gives some users sudo on all IPA hosts, a rule that gives a smaller subset of users sudo on host group A, and a rule that gives a smaller subset of users sudo on host group B. We are seeing inconsistent sudo behavior between host groups A and B when a user is a member of the "sudo on all hosts" rule but not the smaller subset of users for either of the two host groups -- the user in the "sudo on all hosts" rule is able to sudo on hosts in hostgroup A despite not being in the more narrowly defined sudo rule, but they are not able to sudo on hosts in hostgroup B. What is the expected order of precedence here? Is this a race condition or is there some deterministic logic that is consistently applied to break the tie between rules with undefined sudo order values? We do plan on assigning order values to all rules to make this more explicit, but it would help to understand what the expected behavior is here until we are able to implement those changes. A pointer to the code where this is handled would be helpful as well, I wasn't able to find it easily. Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure