Hi All, I have a significant amount of time on this and hoping some of you might have an idea. I want to limit user bob from getting to a root prompt on this test box. It seems to work until bob is able to run a command he is allowed via sudo such as cat. Sudo -i is on the deny command list in IPA and root is local (not in IPA) with nsswitch pointing to files first then sss.
So logged on as user bob, first thing attempted was sudo -i which produces wrong pw message even though it is the correct pw but it is denying so fine. Then I issue sudo cat /etc/sysconfig/iptables and it allows it after I enter bob's pw which is fine. However right after that I try sudo -i again and get root prompt which is not good. I am thinking since root is local and files first then once I sudo up root is avail. Any suggestions are welcome [me@mine ~]$ ssh bob@server bob@servers password: Last login: Time: from IP Internal systems must only be used for conducting company business or for purposes authorized by company management Use is subject to audit at any time by company management [bob@server ~]$ sudo -i [sudo] password for bob: Sorry, try again. [bob@server ~]$ sudo -i [sudo] password for bob: Sorry, try again. [sudo] password for bob: Sorry, try again. [sudo] password for bob: sudo: 2 incorrect password attempts [bob@server ~]$ sudo cat /etc/sysconfig/iptables [sudo] password for bob: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter [bob@server ~]$ sudo -i server.example.local:/root# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter ipa sudorule-show bob Rule name: bob Description: test sudo rule for user bob Enabled: TRUE Host category: all Users: bob Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view, /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u root -i Is it just me or is white space ignored as well with sudo commands much like the sudo options? Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: scho...@us.ibm.com | Tel 919 486 1397
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project