[Freeipa-users] stopping su -

Steven Jones Steven.Jones at vuw.ac.nz
Tue Jul 17 04:40:10 UTC 2012 

Hi,

I could do,

auth    required        pam_wheel.so    root_only use_uid

But I really want to do this with IPA  or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.

I assume simo's hint is,

 sudo -i su - oracle

I will have to experiment.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
Sent: Tuesday, 17 July 2012 4:31 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/16/2012 01:47 PM, Steven Jones wrote:
> Hi,
>
> OK, so to confirm this cant be done in a centralised way via IPA?
>
> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
> Sent: Tuesday, 17 July 2012 9:38 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:32 PM, Steven Jones wrote:
>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>> su - to root, is this correect behavior?
>>
>> How do I? or can I?  stop this unless explicitly allowed?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> You need to control this via PAM. So for me I restrict su to only be
> allowed for members of the wheel group, from /etc/pam.d/su:
>
> auth    required        pam_wheel.so    use_uid
>
> There are comments in the file that will get you where you want to go.
>
> -Erinn
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

I can't speak to whether it can or cannot be done centrally in any sort
of authoritative way, might be possible there are hbac setting for su
and I can't really answer your question about suing to oracle.

-Erinn

More information about the Freeipa-users mailing list