|
Hi all, I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 # ipa hbacrule-show testuser Rule name: testuser Enabled: TRUE Users: testuser Hosts: fedora23-server.blabla.bla Services: sshd Hence, " testuser" is only allowed using sshd on "fedora23-server". No surprise, this user is not allowed to use "su": # ipa hbactest --user testuser --host fedora23-server.blabla.bla --service su --------------------- Access granted: False (and yeah sshd is allowed) However, doing a "su" on the fedora23-server.blabla.bla, and giving the correct password, access is granted. This user is not a member of any other groups. HBAC Services like cron or console access are denied correctly since they are not in the HBAC service list. I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several other ipa-clients (RHEL/CentoOS 6.x, 7.x) Shouldn't su or su -l be denied when not listed? Kind regards, Winny |
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
