[Freeipa-users] stopping su -

Paul Robert Marino prmarino1 at gmail.com
Tue Jul 17 06:51:43 UTC 2012


I understand where you are going with this
Don't think about su - oracle directly
A sudo -u oracle -H isn't quite what you are looking for either because you
want the environment vaiables to auto load and oracle dbas can be ( not all
but many) very lazy about loading them manually.
The best option is sudo su - oracle.
You can lock that down in the sudoers config and you can lock the su
permissions to the wheel group via the local configuration files in
/etc/security or via the pam module. either way you need to add in
configuration file managment, which is not what freeipa is for.
On Jul 17, 2012 12:34 AM, "Erinn Looney-Triggs" <
erinn.looneytriggs at gmail.com> wrote:

> On 07/16/2012 01:47 PM, Steven Jones wrote:
> > Hi,
> >
> > OK, so to confirm this cant be done in a centralised way via IPA?
> >
> > In which case when setting a HBAC with sshd only why cant i su - oracle
> but I can su - root?
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > ________________________________________
> > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com]
> on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
> > Sent: Tuesday, 17 July 2012 9:38 a.m.
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] stopping su -
> >
> > On 07/16/2012 01:32 PM, Steven Jones wrote:
> >> I have craeted a sshd rule only for the HBAC, but I find a std user can
> >> su - to root, is this correect behavior?
> >>
> >> How do I? or can I?  stop this unless explicitly allowed?
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> >
> > You need to control this via PAM. So for me I restrict su to only be
> > allowed for members of the wheel group, from /etc/pam.d/su:
> >
> > auth    required        pam_wheel.so    use_uid
> >
> > There are comments in the file that will get you where you want to go.
> >
> > -Erinn
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
> I can't speak to whether it can or cannot be done centrally in any sort
> of authoritative way, might be possible there are hbac setting for su
> and I can't really answer your question about suing to oracle.
>
> -Erinn
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120717/49bde439/attachment.htm>


More information about the Freeipa-users mailing list