Hi. I have a test freeipa server setup.
It is generally working fine, however I have found one major issue. Even though a user only has 1 service enabled 'sshd' that user can su / su- to root. I can confirm I have deleted the allow_all HBAC rule, and can confirm generally rules are working. i.e if I remove sshd from allowed services the user cannot login. Using ipa hbactest - sshd is granted, su is not Also I have tested the user cannot su / su - [non-root-user] ------------------ [mcox@ipaclient2 ~]$ su - mcox2 Password: su: Permission denied ------------------ but they can su - (to root). When I su I see in /var/log/secure ---------------- Apr 26 17:26:28 ipaclient2 su: pam_unix(su:session): session opened for user root by mcox2(uid=1374400008) ---------------- Looking at the logs in /var/log/sssd when I su only the sssd_nss.log seems to grow debug_log = 9 is enabled -------------------------- (Thu Apr 26 17:27:52 2018) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[0] egid[1374400008] pid[1759]. (Thu Apr 26 17:27:52 2018) [sssd[nss]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55937ee13a10][21] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #52: Setting "Initgroups by name" plugin (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #52: New request 'Initgroups by name' (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #52: Parsing input name [root] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #52: Setting name [root] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #52: Performing a multi-domain search (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #52: Search will check the cache and check the data provider (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain cpgbpc.local type POSIX is valid (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #52: Using domain [cpgbpc.local] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #52: Preparing input data for domain [cpgbpc.local] rules (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #52: Looking up root@cpgbpc.local (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #52: Checking negative cache for [root@cpgbpc.local] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/cpgbpc.local/root@cpgbpc.local] (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #52: [root@cpgbpc.local] does not exist (negative cache) (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #52: Finished: Not found (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): Terminating idle client [0x55937ee0faf0][22] (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55937ee0faf0][22] (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): Terminating idle client [0x55937ee12d80][23] (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55937ee12d80][23] -------------------------- Can anyone help me prevent a user being able to su / su - to root ? If it helps my /etc/pam.d/system-auth config is here : https://pastebin.com/J3THY44c Regards
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
