Hi all,

I created some hbac rule on freeipa-server 4.1.4 on Fedora 22

# ipa hbacrule-show testuser
  Rule name: testuser
  Enabled: TRUE
  Users: testuser
  Hosts: fedora23-server.blabla.bla
  Services: sshd

Hence, " testuser"  is only allowed using sshd on "fedora23-server". No surprise, this user is not allowed to use "su":

# ipa hbactest --user testuser --host fedora23-server.blabla.bla --service su
Access granted: False

(and yeah sshd is allowed)

However, doing a "su"  on the
fedora23-server.blabla.bla, and giving the correct password, access is granted. This user is not a member of any other groups.
HBAC Services like cron or console access are denied correctly since they are not in the HBAC service list.

I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several other ipa-clients (RHEL/CentoOS 6.x, 7.x)

Shouldn't su or su -l be denied when not listed?

Kind regards,


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to