[Freeipa-users] stopping su -
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Jul 17 04:40:10 UTC 2012
Hi,
I could do,
auth required pam_wheel.so root_only use_uid
But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
I assume simo's hint is,
sudo -i su - oracle
I will have to experiment.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
Sent: Tuesday, 17 July 2012 4:31 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stopping su -
On 07/16/2012 01:47 PM, Steven Jones wrote:
> Hi,
>
> OK, so to confirm this cant be done in a centralised way via IPA?
>
> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
> Sent: Tuesday, 17 July 2012 9:38 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:32 PM, Steven Jones wrote:
>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>> su - to root, is this correect behavior?
>>
>> How do I? or can I? stop this unless explicitly allowed?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> You need to control this via PAM. So for me I restrict su to only be
> allowed for members of the wheel group, from /etc/pam.d/su:
>
> auth required pam_wheel.so use_uid
>
> There are comments in the file that will get you where you want to go.
>
> -Erinn
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
I can't speak to whether it can or cannot be done centrally in any sort
of authoritative way, might be possible there are hbac setting for su
and I can't really answer your question about suing to oracle.
-Erinn
More information about the Freeipa-users
mailing list