Are you using a SUDO domain? and LDAP as your sudo and id provider? What does your sssd look like? If you have the Sudoers object class in ldap you can use match users/groups, deny certain hosts, or certain users/groups......
sudoUser: %MyGroup sudoUser: !YourGroup sudoHost: !Notthishost.example.com sudoHost: ALL sudoCommand: ALL SudoCommand: !shutdown Here is a generic sample of what I use: [domain/SUDO] id_provider = ldap sudo_provider = ldap ldap_uri = ldaps://myldap.example.com ldap_tls_cacertdir = /etc/openssl/ ldap_tls_cacert = /etc/openssl/cacert.pem ldap_tls_cipher_suite = SSLv3 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = ou=people,dc=example,dc=com ldap_group_search_base = ou=group,dc=example,dc=com ldap_search_base = dc=example,dc=com ldap_group_member = memberUid ldap_schema = rfc2307 cache_credentials = false ldap_purge_cache_timeout = 20 entry_cache_timeout = 20 ldap_enumeration_refresh_timeout = 20 > On January 17, 2020 at 4:24 AM Jakub Hrozek <[email protected]> wrote: > > > On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote: > > On 1/17/20 8:40 AM, Jannis Mann wrote: > > > Hi, > > > I've implemented sssd with id, auth and access provider as ldap. So I am > > > using a binding account and didn't joined the domain with the server. > > > > > > In general everything works. Only members of mentioned SG within the > > > sssd.conf can login to the server, just as I wish to. > > > > > > However, as sudo user I can run something as following > > > > > > sudo su - UserThatIsNotAllowed > > > > > > So I (a sudo user) can switch to any user that is within the search base > > > I've specified in the sssd.conf > > > But these users are not allowed to use the server. > > > > > > I understand that not the user himself is logging in but I actually > > > don't want sudo users to be able to switch to users that aren't allowed > > > on the server. > > > > > > I'd like that it is only allowed to switch to users that are allowed on > > > the server on local accounts of course. > > > > > > > > > Is this a normal behaviour? Can it be changed? > > > > > > Thank you! > > > Jannis > > > > So you want to be able to run 'sudo su - AllowedUser' but not all users are > > allowed, right? > > > > Sudo rules can match also command parameters so in theory you could create > > rule to allow commands "/bin/su - User1", "/bin/su - User2" ... but if you > > have many users, it would be tedious. > > > > If the purpose is to allow specific users to be able to call all commands as > > allowed user, it would be better to use runAsUser ability of sudo (to run > > command as specific user instead of root) and just setup a rule like: > > > > sudoUser: my-user > > sudoHost: ALL > > sudoCommand: ALL > > sudoRunAsUser: allowed-user > > Couldn't you also put sudo into the acct pam substack? IIRC RHEL started > doing that some time ago.. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
