[Freeipa-devel] HBAC rule not being enforced for sudo

Mon, 16 Sep 2024 04:32:05 -0700 

Using FreeIPA on RHEL 9, I have sudo rules and an HBAC rule. The HBAC
rules are there to disable all access to certain accounts on some
machines. Testing with:
    ipa hbactest --service=sudo-i --user=user --host=host
I get the expected "Access granted: False" response - regardless of the
choice of service or whether I use a short or fully-qualified hostname.
Using ssh to connect to the host is blocked, as are attempts to log in
with gnome, vnc etc - again matching my expectations. However, when
sudo -u user -i is used on the host this just works regardless. There
are sudo rules permitting the initial users (which aren't just root) to
switch to the target user but I would have expected the HBAC rule to
apply and the login to be blocked.

ipa hbacsvc-find does list services like sudo and sudo-i which would
imply that sudo is supposed to support HBAC rules. At what stage is
this supposed to be enforced? I would assume that pam_sss.so should be
responsible for this. The pam configuration I have is unchanged from
RHEL 9.4 defaults and does include pam_sss.so for all of auth, account,
password and session. Do I need to change the configuration somewhere
for HBAC rules to apply to the sudo-i service? Or am I misunderstanding
something?

I'm aware that I could specify host restrictions in the sudo rule but
there are many of them and they apply to a mix of blocked and allowed
accounts so this is not trivial. And it would be duplicating what is
already in the HBAC rule to block ssh, gdm, etc.

Thank you

Oliver Kiddle
-- 
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to