Thank you for the advice. On 26 April 2018 at 19:01, Jakub Hrozek <[email protected]> wrote:
> > > > On 26 Apr 2018, at 18:29, Morgan Cox via FreeIPA-users < > [email protected]> wrote: > > > > Hi. > > > > I have a test freeipa server setup. > > > > It is generally working fine, however I have found one major issue. > > > > Even though a user only has 1 service enabled 'sshd' that user can su / > su- to root. > > > > I can confirm I have deleted the allow_all HBAC rule, and can confirm > generally rules are working. > > > > i.e if I remove sshd from allowed services the user cannot login. > > > > Using ipa hbactest - sshd is granted, su is not > > > > Also I have tested the user cannot su / su - [non-root-user] > > > > ------------------ > > [mcox@ipaclient2 ~]$ su - mcox2 > > Password: > > su: Permission denied > > ------------------ > > > > but they can su - (to root). > > > > When I su I see in /var/log/secure > > > > ---------------- > > Apr 26 17:26:28 ipaclient2 su: pam_unix(su:session): session opened for > user root by mcox2(uid=1374400008) > > ---------------- > > > > Looking at the logs in /var/log/sssd when I su only the sssd_nss.log > seems to grow > > > > debug_log = 9 is enabled > > > > -------------------------- > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [get_client_cred] (0x4000): > Client creds: euid[0] egid[1374400008] pid[1759]. > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [setup_client_idle_timer] > (0x4000): Idle timer re-set for client [0x55937ee13a10][21] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input > name: root > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_plugin] (0x2000): > CR #52: Setting "Initgroups by name" plugin > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_send] (0x0400): CR > #52: New request 'Initgroups by name' > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_input] > (0x0400): CR #52: Parsing input name [root] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR > #52: Setting name [root] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_select_domains] > (0x0400): CR #52: Performing a multi-domain search > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_domains] > (0x0400): CR #52: Search will check the cache and check the data provider > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_validate_domain_type] > (0x2000): Request type POSIX-only for domain cpgbpc.local type POSIX is > valid > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): > CR #52: Using domain [cpgbpc.local] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_prepare_domain_data] > (0x0400): CR #52: Preparing input data for domain [cpgbpc.local] rules > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_send] (0x0400): > CR #52: Looking up [email protected] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] > (0x0400): CR #52: Checking negative cache for [[email protected]] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/cpgbpc.local/[email protected]] > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] > (0x0400): CR #52: [[email protected]] does not exist (negative cache) > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_result] > (0x0400): CR #52: Finished: Not found > > (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_protocol_done] (0x4000): > Sending reply: not found > > (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): > Terminating idle client [0x55937ee0faf0][22] > > (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): > Terminated client [0x55937ee0faf0][22] > > (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): > Terminating idle client [0x55937ee12d80][23] > > (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): > Terminated client [0x55937ee12d80][23] > > > > -------------------------- > > > > Can anyone help me prevent a user being able to su / su - to root ? > > You can’t do this with IPA HBAC because root is not a user managed by IPA. > The HBAC policies only control who you log in as, not the user you’re > logging from. > > I think if you want to prevent certain users from becoming root, you can > use pam_wheel.so with the only_root parameter. > > > > > If it helps my /etc/pam.d/system-auth config is here : > https://pastebin.com/J3THY44c > > > > Regards > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
