Re: [Freeipa-users] granular sudo commands
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White Sent: Wednesday, April 08, 2015 4:53 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] granular sudo commands rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su - weblogic How should the actual command be entered? I have tried... Su - weblogic (ignore autocapitilization) /bin/su - weblogic Sudo su - weblogic Sudo /bin/su - weblogic But none seem to actually work Answering my own question - really complicated testing because sss_cache has no way of clearing cached sudo rules in the version I am using, I found that keeping a root shell on the test system and... rm /var/lib/sss/db/cache*.ldb And Restarting sssd Allowed me to actually change rules for testing purposes. /bin/su - weblogic Was the rule that actually worked -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] granular sudo commands
For all my sudo commands i do sudo command_name_here From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Craig White [cwh...@skytouchtechnology.com] Sent: Thursday, April 09, 2015 1:52 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] granular sudo commands rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su – weblogic How should the actual command be entered? I have tried… Su – weblogic (ignore autocapitilization) /bin/su – weblogic Sudo su – weblogic Sudo /bin/su – weblogic But none seem to actually work Craig White -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] granular sudo commands
rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su - weblogic How should the actual command be entered? I have tried... Su - weblogic (ignore autocapitilization) /bin/su - weblogic Sudo su - weblogic Sudo /bin/su - weblogic But none seem to actually work Craig White -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project