On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote: > On 1/17/20 8:40 AM, Jannis Mann wrote: > > Hi, > > I've implemented sssd with id, auth and access provider as ldap. So I am > > using a binding account and didn't joined the domain with the server. > > > > In general everything works. Only members of mentioned SG within the > > sssd.conf can login to the server, just as I wish to. > > > > However, as sudo user I can run something as following > > > > sudo su - UserThatIsNotAllowed > > > > So I (a sudo user) can switch to any user that is within the search base > > I've specified in the sssd.conf > > But these users are not allowed to use the server. > > > > I understand that not the user himself is logging in but I actually > > don't want sudo users to be able to switch to users that aren't allowed > > on the server. > > > > I'd like that it is only allowed to switch to users that are allowed on > > the server on local accounts of course. > > > > > > Is this a normal behaviour? Can it be changed? > > > > Thank you! > > Jannis > > So you want to be able to run 'sudo su - AllowedUser' but not all users are > allowed, right? > > Sudo rules can match also command parameters so in theory you could create > rule to allow commands "/bin/su - User1", "/bin/su - User2" ... but if you > have many users, it would be tedious. > > If the purpose is to allow specific users to be able to call all commands as > allowed user, it would be better to use runAsUser ability of sudo (to run > command as specific user instead of root) and just setup a rule like: > > sudoUser: my-user > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: allowed-user
Couldn't you also put sudo into the acct pam substack? IIRC RHEL started doing that some time ago.. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
