[Freeipa-users] stopping su -

Steven Jones Steven.Jones at vuw.ac.nz
Tue Jul 17 22:04:01 UTC 2012


but presumably I can control sudo with IPA?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 17 July 2012 11:07 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/17/2012 12:40 AM, Steven Jones wrote:
> Hi,
>
> I could do,
>
> auth    required        pam_wheel.so    root_only use_uid
>
> But I really want to do this with IPA  or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>
> I assume simo's hint is,
>
>  sudo -i su - oracle

AFAIU if you are looking for centrally manged setting you need to use sudo.
With su and HBAC IPA can just control which user can authenticate using
"su" but not for local users like root.

I think that if the oracle user is centrally managed you would be able
to define an HBAC rule that would prevent oracle user from doing su on a
group of hosts, but I doubt that this is what you want.
Seems like sudo will give you much more flexibility.

> I will have to experiment.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
> Sent: Tuesday, 17 July 2012 4:31 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:47 PM, Steven Jones wrote:
>> Hi,
>>
>> OK, so to confirm this cant be done in a centralised way via IPA?
>>
>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
>> Sent: Tuesday, 17 July 2012 9:38 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] stopping su -
>>
>> On 07/16/2012 01:32 PM, Steven Jones wrote:
>>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>>> su - to root, is this correect behavior?
>>>
>>> How do I? or can I?  stop this unless explicitly allowed?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>> You need to control this via PAM. So for me I restrict su to only be
>> allowed for members of the wheel group, from /etc/pam.d/su:
>>
>> auth    required        pam_wheel.so    use_uid
>>
>> There are comments in the file that will get you where you want to go.
>>
>> -Erinn
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> I can't speak to whether it can or cannot be done centrally in any sort
> of authoritative way, might be possible there are hbac setting for su
> and I can't really answer your question about suing to oracle.
>
> -Erinn
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






More information about the Freeipa-users mailing list