Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Hello On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones steven.jo...@vuw.ac.nzwrote: Hi, If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. regards Steven Jones rob # cat /etc/pam.d/su authsufficient pam_rootok.so auth[default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1 auth[success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access auth[default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2 authrequisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access authinclude system-auth account sufficientpam_succeed_if.so uid = 0 use_uid quiet account includesystem-auth password includesystem-auth session includesystem-auth session optionalpam_xauth.so With above configuration. members of group1 will be able to su only to users in /etc/security/su-group1-access members of group2 will be able to su only to users in /etc/security/su-group2-access users which are not in group1 group2 both will not be able to su to anyone root will be able to su to anyone Hope that helps, Change it as per your requirement. Regards Arpit Tolani ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Thankyou. :D regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Wednesday, 18 July 2012 10:18 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? On Tue, 2012-07-17 at 22:06 +, Steven Jones wrote: Can I get this clarified as I am getting really confused, Can I do this in/via IPA or not? Yes or no I think will suffice. Not using 'su', but you can using sudo as explained in other messages. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Hi, Thanks...yes I dont care how as such. Im trying to translate traditional linux/unix ways of doing things into IPA where possible...maybe that's where I'm communicating poorly and causing confusion, sorry about that. Its like english and french, I want the french but only have the english words to ask in. :/ su - root can be local, thats OK as that is unique and exists locally. But I need to do a lot of as kodak wants and have a group of users login as themselves and then get to an application user. Typically this would be say oracle...but I dont want the user oracle to be able to ssh in...so that can be IPA controlled, I know, which I'd rather do than putting a deny into sshd_configas when you want to refresh a database you could have a HBAC for Oracle defined between 2 specific hosts for a set length of time say. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com] Sent: Wednesday, 18 July 2012 10:17 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? On 07/17/2012 02:06 PM, Steven Jones wrote: Can I get this clarified as I am getting really confused, Can I do this in/via IPA or not? Yes or no I think will suffice. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 *From:* Arpit Tolani [arpittol...@gmail.com] *Sent:* Tuesday, 17 July 2012 11:13 p.m. *To:* Steven Jones *Cc:* Rob Crittenden; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? I think that is because you are talking about two separate things. You want to control entry to root via su, this may or may not be controllable with IPA, but probably not. You want to control entry to the oracle user via sudo and restrict that to a group of users, that is entirely possible within IPA. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to set a user group rule to allow su - oracle only?
Is this possible? If so how is it done? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Steven Jones wrote: Is this possible? If so how is it done? I'm not sure what you're asking. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Hi, If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 17 July 2012 9:33 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? Steven Jones wrote: Is this possible? If so how is it done? I'm not sure what you're asking. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
On Mon, 2012-07-16 at 21:45 +, Steven Jones wrote: Hi, If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. I think you want to look at sudo -i Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
