[Freeipa-users] Re: Freeipa sudo

Alexander Bokovoy via FreeIPA-users Thu, 11 Jan 2024 04:17:38 -0800

On Чцв, 11 сту 2024, Dmitry Krasov via FreeIPA-users wrote:

sssd_dom.loc.log
https://codeshare.io/qP8rYx


sssd_pam.log
https://codeshare.io/eVgexb


Is this user ('desktop') a member of any administrative groups?

(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): 
[RID#101] [2] groups for [[email protected]]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): 
[RID#101] Added group [ipausers] for user [desktop]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_eval_user_element] (0x1000): 
[RID#101] Added group [desktop22043] for user [desktop]
....
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98]  
REQUEST:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              service [gdm-password]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              service_group (none)
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              user [desktop]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              user_group:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]                      [ipausers]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]                      [desktop22043]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              targethost [desktop22043.dom.loc]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              targethost_group:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]                      [desktop22043]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_request_element_debug_print] 
(0x2000): [RID#98]              srchost_group (none)
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_req_debug_print] (0x2000): [RID#98]  
        request time 2024-01-11 15:01:26
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] 
        RULE [allow_all] [ENABLED]:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] 
        services:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): 
[RID#98]                 category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] 
        users:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): 
[RID#98]                 category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] 
        targethosts:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): 
[RID#98]                 category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_debug_print] (0x2000): [RID#98] 
        srchosts:
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_rule_element_debug_print] (0x2000): 
[RID#98]                 category [0x1] [ALL]
(2024-01-11 15:01:26): [be[dom.loc]] [hbac_evaluate] (0x0100): [RID#98] ALLOWED 
by rule [allow_all].

It seems it is a member of only two groups.

From your previous log, polkit was unable to authorize access using own
rules:

16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of 
unix-session:4
FAILED to authenticate to gain authorization for action 
org.fortinet.fortitray.quit for
unix-process:3948:18923 [sh -c pkexec /bin/bash 
/opt/forticlient/stop-forticlient.sh]
(owned by unix-user:desktop)

IIRC, if you didn't modify them, polkit default configuration is to
allow only administrative users to operate as another user
(allow_active=auth_admin in polkit actions, see
https://manpages.ubuntu.com/manpages/jammy/man8/polkit.8.html for
details). The meaning of an administrative user is defined in polkit
rules. For example, https://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
describes how you can add a rule that matches a certain IPA group
(really, any group membership known on the system).

You can check which actions are allowed for your user 'desktop' by
running

$ pkaction

as that user in their logged-in session.


See
https://www.admin-magazine.com/Articles/Assigning-Privileges-with-sudo-and-PolicyKit
for somewhat detailed explanation how this all works -- this is general
enough to work with or without FreeIPA.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Freeipa sudo

Reply via email to