On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
>    Hi all,
>    I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
>    # ipa hbacrule-show testuser
>      Rule name: testuser
>      Enabled: TRUE
>      Users: testuser
>      Hosts: fedora23-server.blabla.bla
>      Services: sshd
>    Hence, " testuser"  is only allowed using sshd on "fedora23-server". No
>    surprise, this user is not allowed to use "su":
>    # ipa hbactest --user testuser --host fedora23-server.blabla.bla --service
>    su
>    ---------------------
>    Access granted: False
>    (and yeah sshd is allowed)
>    However, doing a "su"  on the fedora23-server.blabla.bla, and giving the
>    correct password, access is granted. This user is not a member of any
>    other groups.
>    HBAC Services like cron or console access are denied correctly since they
>    are not in the HBAC service list.
>    I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several
>    other ipa-clients (RHEL/CentoOS 6.x, 7.x)
>    Shouldn't su or su -l be denied when not listed?

Yes, and in my testing with a similar rule:

$ ipa hbacrule-show allow_sshd
  Rule name: allow_sshd
  Enabled: TRUE
  Users: admin
  Hosts: client.ipa.test
  Services: sshd

admin can ssh to client.ipa.test but it's not possible to su to admin.

Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting and check
/var/log/secure and the sssd logs.

Also, you're not calling su as root, are you?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to