Re: [Freeipa-users] IPA and UIDS <500
Hi, I have had a RH support case open since the 17thI keep getting different opinions on how to do it, none of which work so far. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Saturday, 21 July 2012 1:52 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On 07/19/2012 06:06 PM, Steven Jones wrote: > having problems with, > > ipa sudorule-add-host --groups banner-server-group banner-rule > > > So I want to use a host-group so I can run this command accross multiple > servers, I take it I cant so I have to add it per host? > > Should work with host groups and user groups. I do not have the exact syntax in front of me. Please check the ipa help system it has all the details. If something does not work as advertised please collect all the details, logs, output and file a bug or ticket. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Steven Jones > Sent: Friday, 20 July 2012 9:39 a.m. > To: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] IPA and UIDS <500 > > ah rightive been trying to do this in IPA and failing > > So I actually want, > > ipa sudorule-add banner-rule > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" > ipa sudorule-add-host --groups banner-server-group banner-rule > ipa sudorule-add-user --groups become-banner-saas-prod banner-rule > ipa sudorule-add-user --user banner banner-rule > > > ? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
Dmitri Pal wrote: On 07/19/2012 06:06 PM, Steven Jones wrote: having problems with, ipa sudorule-add-host --groups banner-server-group banner-rule So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? Should work with host groups and user groups. I do not have the exact syntax in front of me. Please check the ipa help system it has all the details. If something does not work as advertised please collect all the details, logs, output and file a bug or ticket. To add the banner-server-group hostgroup to the sudo rule: ipa sudorule-add-host --hostgroups banner-server-group banner-rule ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On 07/19/2012 06:06 PM, Steven Jones wrote: > having problems with, > > ipa sudorule-add-host --groups banner-server-group banner-rule > > > So I want to use a host-group so I can run this command accross multiple > servers, I take it I cant so I have to add it per host? > > Should work with host groups and user groups. I do not have the exact syntax in front of me. Please check the ipa help system it has all the details. If something does not work as advertised please collect all the details, logs, output and file a bug or ticket. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Steven Jones > Sent: Friday, 20 July 2012 9:39 a.m. > To: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] IPA and UIDS <500 > > ah rightive been trying to do this in IPA and failing > > So I actually want, > > ipa sudorule-add banner-rule > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" > ipa sudorule-add-host --groups banner-server-group banner-rule > ipa sudorule-add-user --groups become-banner-saas-prod banner-rule > ipa sudorule-add-user --user banner banner-rule > > > ? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
having problems with, ipa sudorule-add-host --groups banner-server-group banner-rule So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Steven Jones Sent: Friday, 20 July 2012 9:39 a.m. To: freeipa-users@redhat.com Subject: RE: [Freeipa-users] IPA and UIDS <500 ah rightive been trying to do this in IPA and failing So I actually want, ipa sudorule-add banner-rule ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" ipa sudorule-add-host --groups banner-server-group banner-rule ipa sudorule-add-user --groups become-banner-saas-prod banner-rule ipa sudorule-add-user --user banner banner-rule ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
ah rightive been trying to do this in IPA and failing So I actually want, ipa sudorule-add banner-rule ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" ipa sudorule-add-host --groups banner-server-group banner-rule ipa sudorule-add-user --groups become-banner-saas-prod banner-rule ipa sudorule-add-user --user banner banner-rule ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On 07/19/2012 05:00 PM, Steven Jones wrote: > So, > > Im am trying to do just this but failing, > > So rather than, > > ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" > > then, > > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner" > Banner should not be a part of the command. He should be put into the run as user if this is an ipa managed user or into external run as user if this user is not managed by IPA but defined on a local system. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Simo Sorce [s...@redhat.com] > Sent: Friday, 20 July 2012 5:09 a.m. > To: Stephen Gallagher > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA and UIDS <500 > > On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: >> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: >>> Does this mean that it's impossible to have IPA authenticate the >>> oracle user or any other user that is normally below 500? >>> >>> Our security team is asking that we manage the passwords of oracle and >>> other users centrally. Can IPA do this for me? >> It's not impossible, but it requires some mangling of your PAM stacks >> in /etc/pam.d/* >> >> That said, it's generally a bad idea to have passwords on users < 500. >> It should not be possible to log into them at all, and instead you >> should rely on granting (restricted) sudo privileges to real users >> allowing them to impersonate the service user instead. >> >> So instead of allowing people to log into the box as 'oracle', they >> should log in as 'myusername' and then run 'sudo -u oracle '. >> This provides better auditing support as well, since you will always >> know which real user modified your database configuration (rather than >> trying to piece together who logged in as 'oracle' directly). > Note you can also allow sudo -i which gives you an interactive shell > just like su - would, but you can control sudo configuration centrally. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
So, Im am trying to do just this but failing, So rather than, ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" then, ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner" regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Simo Sorce [s...@redhat.com] Sent: Friday, 20 July 2012 5:09 a.m. To: Stephen Gallagher Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On 07/19/2012 11:59 AM, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: >> Does this mean that it's impossible to have IPA authenticate the >> oracle user or any other user that is normally below 500? >> >> Our security team is asking that we manage the passwords of oracle and >> other users centrally. Can IPA do this for me? > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > I think Stephen meant to say that it is in fact possible but not recommended and would require changes to PAM configuration to allow logins for centrally managed users with low UIDs. In IPA you can change UID of the user manually if you really know what you are doing but approach below is much more secure, compliant and elegant. > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > Does this mean that it's impossible to have IPA authenticate the > oracle user or any other user that is normally below 500? > > Our security team is asking that we manage the passwords of oracle and > other users centrally. Can IPA do this for me? It's not impossible, but it requires some mangling of your PAM stacks in /etc/pam.d/* That said, it's generally a bad idea to have passwords on users < 500. It should not be possible to log into them at all, and instead you should rely on granting (restricted) sudo privileges to real users allowing them to impersonate the service user instead. So instead of allowing people to log into the box as 'oracle', they should log in as 'myusername' and then run 'sudo -u oracle '. This provides better auditing support as well, since you will always know which real user modified your database configuration (rather than trying to piece together who logged in as 'oracle' directly). signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 07:36 -0400, Stephen Gallagher wrote: > > On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote: > > > Actually its pamunless IPA is as well. > > > > > > Which makes sense then to have an application run < 500 so inherently it > > > cannot be logged into via ssh > > > > Well, it's possible to configure your system to allow logging in to > > users below 500, but it's not recommended. The real risk is of having > > system services with an ID that conflicts with a user. > > In general we do not recommend to set ids on your own, let ipa choose > IDs unless you have a constraint that prevents you from letting that > happen. Does this mean that it's impossible to have IPA authenticate the oracle user or any other user that is normally below 500? Our security team is asking that we manage the passwords of oracle and other users centrally. Can IPA do this for me? Thanks Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 07:36 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote: > > Actually its pamunless IPA is as well. > > > > Which makes sense then to have an application run < 500 so inherently it > > cannot be logged into via ssh > > Well, it's possible to configure your system to allow logging in to > users below 500, but it's not recommended. The real risk is of having > system services with an ID that conflicts with a user. In general we do not recommend to set ids on your own, let ipa choose IDs unless you have a constraint that prevents you from letting that happen. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote: > Actually its pamunless IPA is as well. > > Which makes sense then to have an application run < 500 so inherently it > cannot be logged into via ssh Well, it's possible to configure your system to allow logging in to users below 500, but it's not recommended. The real risk is of having system services with an ID that conflicts with a user. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
Actually its pamunless IPA is as well. Which makes sense then to have an application run < 500 so inherently it cannot be logged into via ssh regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Stephen Gallagher [sgall...@redhat.com] Sent: Thursday, 19 July 2012 12:42 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 00:02 +, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
Hi, So this is a rule that is hard coded into IPA? I agree on the principle unfortunately I have several accounts that do things like apache, run applications on the host regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Stephen Gallagher [sgall...@redhat.com] Sent: Thursday, 19 July 2012 12:42 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 00:02 +, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 00:02 +, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA and UIDS <500
Hi, Is there a rule or something that makes users with a UID of less than 500 not work? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users