Ok. It seems that /etc/sudoers has "Defaults " rule where I had no such rule in IPA. so after creating it seems secure_path is working now
вт, 3 сент. 2024 г. в 19:34, Alexander Bokovoy <[email protected]>: > > On Аўт, 03 вер 2024, alexey safonov via FreeIPA-users wrote: > >Hi, > > > >I've checked all related output in Google search and this mailing > >list, but still have no answer to a question, why secure_path option > >is ignored by IPA? > > > >here is what I have in IPA > > Sudo Option: !requiretty, !authenticate, > >secure_path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > > > >here is the output > > > >[aaa@bbbb ~]$ sudo printenv PATH > >/sbin:/bin:/usr/sbin:/usr/bin > > > >for some reason that path is only taken from /etc/sudoers file > > IPA LDAP is just a store for SUDO rules. The heavy lifting is done by > SSSD sudoers plugin. You can use > https://sssd.io/troubleshooting/sudo.html to generate SUDO and SSSD logs > and see whether a particular rule or options are present and sent to > SUDO for processing. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
