Hi,

OK, so to confirm this cant be done in a centralised way via IPA?

In which case when setting a HBAC with sshd only why cant i su - oracle but I 
can su - root?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com]
Sent: Tuesday, 17 July 2012 9:38 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/16/2012 01:32 PM, Steven Jones wrote:
> I have craeted a sshd rule only for the HBAC, but I find a std user can
> su - to root, is this correect behavior?
>
> How do I? or can I?  stop this unless explicitly allowed?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


You need to control this via PAM. So for me I restrict su to only be
allowed for members of the wheel group, from /etc/pam.d/su:

auth    required        pam_wheel.so    use_uid

There are comments in the file that will get you where you want to go.

-Erinn



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to