security pre 022

Important security advise

In ipa-sudo-basic-rules.py version 0.2.2 several commands that can be used to fork a root shell were moved to the shells group. Make sure to execute the following commands as administrative IPA user after installing the updated catalog:

$ ipa sudocmdgroup-remove-member filemgmt --sudocmds=/bin/more
$ ipa sudocmdgroup-remove-member filemgmt --sudocmds=/usr/bin/less
$ ipa sudocmdgroup-remove-member delegating --sudocmds=/usr/sbin/visudo
$ ipa sudocmdgroup-del delegating
$ ipa sudocmdgroup-remove-member usermgmt --sudocmds=/usr/sbin/vigr
$ ipa sudocmdgroup-remove-member usermgmt --sudocmds=/usr/sbin/vipw

Those commands will move the more, less, visudo, vigr and vipw commands to the shells group. This will ensure that it is not possible to fork a root shell again. All freeipa-stuff releases from version 0.1.0 to 0.2.1 are affected.