On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote: > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > > Hi all, > > > > I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > > > # ipa hbacrule-show testuser > > Rule name: testuser > > Enabled: TRUE > > Users: testuser > > Hosts: fedora23-server.blabla.bla > > Services: sshd > > > > Hence, " testuser" is only allowed using sshd on "fedora23-server". No > > surprise, this user is not allowed to use "su": > > > > # ipa hbactest --user testuser --host fedora23-server.blabla.bla > > --service > > su > > --------------------- > > Access granted: False > > > > (and yeah sshd is allowed) > > > > However, doing a "su" on the fedora23-server.blabla.bla, and giving the > > correct password, access is granted. This user is not a member of any > > other groups. > > HBAC Services like cron or console access are denied correctly since they > > are not in the HBAC service list. > > > > I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several > > other ipa-clients (RHEL/CentoOS 6.x, 7.x) > > > > Shouldn't su or su -l be denied when not listed? > > Yes, and in my testing with a similar rule: > > $ ipa hbacrule-show allow_sshd > Rule name: allow_sshd > Enabled: TRUE > Users: admin > Hosts: client.ipa.test > Services: sshd > > admin can ssh to client.ipa.test but it's not possible to su to admin. > > Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting and check > /var/log/secure and the sssd logs. > > Also, you're not calling su as root, are you?
Have you disabled the allow_all rule? bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project