[Freeipa-users] stopping su -
Dmitri Pal
dpal at redhat.com
Wed Jul 18 17:53:41 UTC 2012
On 07/17/2012 06:04 PM, Steven Jones wrote:
> but presumably I can control sudo with IPA?
Yes you do.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 17 July 2012 11:07 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/17/2012 12:40 AM, Steven Jones wrote:
>> Hi,
>>
>> I could do,
>>
>> auth required pam_wheel.so root_only use_uid
>>
>> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>>
>> I assume simo's hint is,
>>
>> sudo -i su - oracle
> AFAIU if you are looking for centrally manged setting you need to use sudo.
> With su and HBAC IPA can just control which user can authenticate using
> "su" but not for local users like root.
>
> I think that if the oracle user is centrally managed you would be able
> to define an HBAC rule that would prevent oracle user from doing su on a
> group of hosts, but I doubt that this is what you want.
> Seems like sudo will give you much more flexibility.
>
>> I will have to experiment.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
>> Sent: Tuesday, 17 July 2012 4:31 p.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] stopping su -
>>
>> On 07/16/2012 01:47 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> OK, so to confirm this cant be done in a centralised way via IPA?
>>>
>>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
>>> Sent: Tuesday, 17 July 2012 9:38 a.m.
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] stopping su -
>>>
>>> On 07/16/2012 01:32 PM, Steven Jones wrote:
>>>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>>>> su - to root, is this correect behavior?
>>>>
>>>> How do I? or can I? stop this unless explicitly allowed?
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>> You need to control this via PAM. So for me I restrict su to only be
>>> allowed for members of the wheel group, from /etc/pam.d/su:
>>>
>>> auth required pam_wheel.so use_uid
>>>
>>> There are comments in the file that will get you where you want to go.
>>>
>>> -Erinn
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>> I can't speak to whether it can or cannot be done centrally in any sort
>> of authoritative way, might be possible there are hbac setting for su
>> and I can't really answer your question about suing to oracle.
>>
>> -Erinn
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list