[Freeipa-devel] Scripting the SUDO setup for a client
JR Aquino
JR.Aquino at citrix.com
Fri Feb 18 14:20:07 UTC 2011
On 2/18/11 5:49 AM, "Simo Sorce" <ssorce at redhat.com> wrote:
>On Fri, 18 Feb 2011 13:18:36 +0000
>JR Aquino <JR.Aquino at citrix.com> wrote:
>
>> I'm afraid not Simo.
>> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA
>> are protected. There is a deliberate default aci which prevents
>> anonymous users from enumerating everyones Sudo information.
>>
>> This means it is necessary for Sudo to initiate some form of
>> authenticated bind.
>>
>> And as we discovered, the SUDO SASL implementation is suboptimal in
>> that it seems to want a cronjob to sit around kinit'ing
>> the /etc/krb5.keytab in order to use it's ccache.
>
>Ouch, I forgot about the ACIs ... I guess we should document how to
>remove them as an alternative too ?
>
>Simo.
There is indeed a ticket to create a 2.1 feature for opening the ACI.
Documentation for opening the default ACI will be written in red for those
who wish to ignore best security practices...
By default the ACI's were decided to prohibit anonymous access.
On a standalone system /etc/sudoers is set to root:root with 440.
Sudo information is critically sensitive security information that should
be treated at a similar level to passwords in terms of protections.
A binduser is instead suggested as a means to accommodate sudo, and it is
written into the beginnings of the documentation.
More information about the Freeipa-devel
mailing list