On 11/13/2013 05:40 PM, Jakub Hrozek wrote:
On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote:
During our evaluation phase we're facing following problem. One particular user 
were granted sudo permission with the help of a sudo rule. The user can 
successfully access the host via SSH and switched to user root by using the 
sudo command, which was enabled for the user with the sudo rule. After that the 
sudo rule was disabled and the user tried to login again and switching to root 
was still possible.

After deleting the SSSD cache files and restarting the service sudo did not 
work anymore, as excepted.

How long does it take until the sudo rules are refreshed in SSSD cache? I know 
that there are three different refresh mechanism (full, smart, rule). Full and 
smart refresh mechanism are performed periodically dependent on the settings in 
SSSD configuration file and rule method should refresh the users's specific 
rules after each login, what apparently was not the case for my test scenario. 
Please correct me if i'm wrong. Of course I can set the interval for smart 
refresh to a minimum of 10 seconds, but this would cause a lot of traffic.

How can I configure SSSD to update the rules during each login of the user?

Hi David,

Pavel Brezina (CC-ed) would know for sure as he wrote the sudo
integration, but I think the trick could be to force the rules refresh
to run more often, as you noted, detecting the removed rules.

I'd suggest to lower the entry_cache_sudo_timeout to make the rules expire
faster which would trigger the rules refresh which, if it detected rules
were removed would trigger the full refresh.

Hi,
this is completely correct answer.

Currently there's no config option that would tie login and rules
refresh update.

And this sounds like a nice RFE :-)


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to