Hello, with IPA v4.10.0 on RHEL 9.1, the IPA servers are configured with the security profile ANSSI-BP-028 (high) which mandates the sudo Defaults 'noexec' (commands cannot execute subprocesses). Along with other restrictive Defaults, it has been set automatically by OpenSCAP during OS installation, in the /etc/sudoers file.
But there are quite a few situations where we need EXEC rights (typically some IPA utilities, such as ipa-healthcheck). During the initial configuration of the systems we had a local 'install' user, in the wheel group, and to which we gave blanket sudo EXEC rights. But now that IPA is up and running, I am struggling to configure working around the 'noexec' Defaults for real operators managed by IPA. I have tried three approaches, which all failed: 1) In an IPA sudo rule, configure Options to override the 'noexec' Defaults. I tried with both !noexec -=noexec but it had no effect and I did not see it listed in sudo -l, and noexec was still there. 2) In an IPA sudo command definition, add EXEC. That is, I created an IPA sudo command with the value: EXEC: ALL but this command appeared with the : escaped by \: (ALL : ALL) EXEC\: ALL 3) In an IPA sudo rule, use the 'ignore_local_sudoers' Option. The sudoers man page says "If set via LDAP, parsing of /etc/sudoers will be skipped. This is intended for Enterprises [...]". This could be an appropriate approach to reconstitute these Security Profiles constraints centrally in IPA instead of locally, but the 'ignore_local_sudoers' Option does not seem to be picked up: sudo -l keep showing the Defaults configured locally (including 'noexec') Am I doing something wrong? What would be the best approach to pursue? More generally, I noticed that changes in the IPA sudo rules are not effective immediately, even after a logout/login. Is there some caching? Or should I restart a service? If I reboot the system, the changes are taken, but this is a bit heavy. Thanks in advance! Mathieu _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
