[Freeipa-users] Sudo question

Wed, 02 Dec 2015 14:25:42 -0800 

Hi All,

  I have a significant amount of time on this and hoping some of you might
have an idea.  I want to limit user bob from getting to a root prompt on
this test box.
It seems to work until bob is able to run a command he is allowed via sudo
such as cat.  Sudo -i is on the deny command list in IPA and root is local
(not in IPA) with
nsswitch pointing to files first then sss.

So logged on as user bob, first thing attempted was sudo -i which produces
wrong pw message even though it is the correct pw but it is denying so
fine.  Then I issue sudo cat /etc/sysconfig/iptables
and it allows it after I enter bob's pw which is fine.  However right after
that I try sudo -i again and get root prompt which is not good.  I am
thinking since root is local and files first then once I sudo up root is
avail.
Any suggestions are welcome



[me@mine ~]$ ssh bob@server
bob@servers password:
Last login:  Time: from IP
Internal systems must only be used for conducting company business or for
purposes authorized by company management
Use is subject to audit at any time by company management
[bob@server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[bob@server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
sudo: 2 incorrect password attempts
[bob@server ~]$ sudo cat /etc/sysconfig/iptables
[sudo] password for bob:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
[bob@server ~]$ sudo -i
server.example.local:/root# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter



  ipa sudorule-show bob
  Rule name: bob
  Description: test sudo rule for user bob
  Enabled: TRUE
  Host category: all
  Users: bob
  Sudo Allow Commands: /sbin/iptables, /sbin/service,  /bin/view,
                       /bin/bash, /bin/netstat, /usr/bin/sudo -u user
-i, /bin/cat
  Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u
root -i

Is it just me or is white space ignored as well with sudo commands much
like the sudo options?






Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to