Sean Hogan wrote: > Hi All, > > I have a significant amount of time on this and hoping some of you might > have an idea. I want to limit user bob from getting to a root prompt on > this test box. > It seems to work until bob is able to run a command he is allowed via > sudo such as cat. Sudo -i is on the deny command list in IPA and root is > local(not in IPA) with > nsswitch pointing to files first then sss. > > So logged on as user bob, first thing attempted was sudo -i which > produces wrong pw message even though it is the correct pw but it is > denying so fine. Then I issue sudo cat /etc/sysconfig/iptables > and it allows it after I enter bob's pw which is fine. However right > after that I try sudo -i again and get root prompt which is not good. I > am thinking since root is local and files first then once I sudo up root > is avail. > Any suggestions are welcome
I think you are better off using an HBAC rule to only grant sudo and not sudo -i. rob > > > > *[me@mine ~]$ ssh bob@server* > bob@servers password: > Last login: Time: from IP > Internal systems must only be used for conducting company business or > for purposes authorized by company management > Use is subject to audit at any time by company management > *[bob@server ~]$ sudo -i* > [sudo] password for bob: > Sorry, try again. > *[bob@server ~]$ sudo -i* > [sudo] password for bob: > Sorry, try again. > [sudo] password for bob: > Sorry, try again. > [sudo] password for bob: > sudo: 2 incorrect password attempts > *[bob@server ~]$ sudo cat /etc/sysconfig/iptables* > [sudo] password for bob: > # Firewall configuration written by system-config-firewall > # Manual customization of this file is not recommended. > *filter > *[bob@server ~]$ sudo -i* > *server.example.local:/root# cat /etc/sysconfig/iptables* > # Firewall configuration written by system-config-firewall > # Manual customization of this file is not recommended. > *filter > > > > ipa sudorule-show bob > Rule name: bob > Description: test sudo rule for user bob > Enabled: TRUE > Host category: all > Users: bob > Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view, > /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat > Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u > root -i > > Is it just me or is white space ignored as well with sudo commands much > like the sudo options? > > > > > > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: scho...@us.ibm.com | Tel 919 486 1397 > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project