Hi, I could do,
auth required pam_wheel.so root_only use_uid But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. I assume simo's hint is, sudo -i su - oracle I will have to experiment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Erinn Looney-Triggs [[email protected]] Sent: Tuesday, 17 July 2012 4:31 p.m. To: [email protected] Subject: Re: [Freeipa-users] stopping su - On 07/16/2012 01:47 PM, Steven Jones wrote: > Hi, > > OK, so to confirm this cant be done in a centralised way via IPA? > > In which case when setting a HBAC with sshd only why cant i su - oracle but I > can su - root? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Erinn Looney-Triggs [[email protected]] > Sent: Tuesday, 17 July 2012 9:38 a.m. > To: [email protected] > Subject: Re: [Freeipa-users] stopping su - > > On 07/16/2012 01:32 PM, Steven Jones wrote: >> I have craeted a sshd rule only for the HBAC, but I find a std user can >> su - to root, is this correect behavior? >> >> How do I? or can I? stop this unless explicitly allowed? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > You need to control this via PAM. So for me I restrict su to only be > allowed for members of the wheel group, from /etc/pam.d/su: > > auth required pam_wheel.so use_uid > > There are comments in the file that will get you where you want to go. > > -Erinn > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > I can't speak to whether it can or cannot be done centrally in any sort of authoritative way, might be possible there are hbac setting for su and I can't really answer your question about suing to oracle. -Erinn _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
