Sean Hogan wrote: > Hi Rob, > > Thanks for the suggestion. I think that is what I have though. The > sudorule applied for this user does not have sudo as an avail command > unless it picks up /usr/bin/sudo -u user -i which I was thinking would > only allow sudoing to user. > HBAC services I have for the user has sudo and no sudo -i. > Services > sshd > login > gdm > gdm-password > kdm > su > su-l > vsftpd > sudo > > Sudo Rule > *Sudo Allow Commands*: /sbin/iptables, /sbin/service, > /bin/view,/bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat > *Sudo Deny Commands*: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo > -u root -i > > Unfortunately I am really stumped on this one.
You probably have the allow_all HBAC rule enabled. If sudo-i isn't allowed in HBAC then the pam service shouldn't be allowed at all. I'd suggest you bump up the sssd debug level to better see what is happening. rob > > > > > > Inactive hide details for Rob Crittenden ---12/02/2015 04:26:24 > PM---Sean Hogan wrote: > Hi All,Rob Crittenden ---12/02/2015 04:26:24 > PM---Sean Hogan wrote: > Hi All, > > From: Rob Crittenden <[email protected]> > To: Sean Hogan/Durham/IBM@IBMUS, [email protected] > Date: 12/02/2015 04:26 PM > Subject: Re: [Freeipa-users] Sudo question > > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: >> Hi All, >> >> I have a significant amount of time on this and hoping some of you might >> have an idea. I want to limit user bob from getting to a root prompt on >> this test box. >> It seems to work until bob is able to run a command he is allowed via >> sudo such as cat. Sudo -i is on the deny command list in IPA and root is >> local(not in IPA) with >> nsswitch pointing to files first then sss. >> >> So logged on as user bob, first thing attempted was sudo -i which >> produces wrong pw message even though it is the correct pw but it is >> denying so fine. Then I issue sudo cat /etc/sysconfig/iptables >> and it allows it after I enter bob's pw which is fine. However right >> after that I try sudo -i again and get root prompt which is not good. I >> am thinking since root is local and files first then once I sudo up root >> is avail. >> Any suggestions are welcome > > I think you are better off using an HBAC rule to only grant sudo and not > sudo -i. > > rob > >> >> >> >> *[me@mine ~]$ ssh bob@server* >> bob@servers password: >> Last login: Time: from IP >> Internal systems must only be used for conducting company business or >> for purposes authorized by company management >> Use is subject to audit at any time by company management >> *[bob@server ~]$ sudo -i* >> [sudo] password for bob: >> Sorry, try again. >> *[bob@server ~]$ sudo -i* >> [sudo] password for bob: >> Sorry, try again. >> [sudo] password for bob: >> Sorry, try again. >> [sudo] password for bob: >> sudo: 2 incorrect password attempts >> *[bob@server ~]$ sudo cat /etc/sysconfig/iptables* >> [sudo] password for bob: >> # Firewall configuration written by system-config-firewall >> # Manual customization of this file is not recommended. >> *filter >> *[bob@server ~]$ sudo -i* >> *server.example.local:/root# cat /etc/sysconfig/iptables* >> # Firewall configuration written by system-config-firewall >> # Manual customization of this file is not recommended. >> *filter >> >> >> >> ipa sudorule-show bob >> Rule name: bob >> Description: test sudo rule for user bob >> Enabled: TRUE >> Host category: all >> Users: bob >> Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view, >> /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat >> Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u >> root -i >> >> Is it just me or is white space ignored as well with sudo commands much >> like the sudo options? >> >> >> >> >> >> >> Sean Hogan >> Security Engineer >> Watson Security & Risk Assurance >> Watson Cloud Technology and Support >> email: [email protected] | Tel 919 486 1397 >> >> >> >> >> >> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
