[Freeipa-users] IPA and UIDS <500
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Jul 19 21:00:17 UTC 2012
So,
Im am trying to do just this but failing,
So rather than,
ipa sudorule-add-allow-command --sudocmds "/bin/su - banner"
then,
ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner"
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com]
Sent: Friday, 20 July 2012 5:09 a.m.
To: Stephen Gallagher
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA and UIDS <500
On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote:
> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote:
> > Does this mean that it's impossible to have IPA authenticate the
> > oracle user or any other user that is normally below 500?
> >
> > Our security team is asking that we manage the passwords of oracle and
> > other users centrally. Can IPA do this for me?
>
> It's not impossible, but it requires some mangling of your PAM stacks
> in /etc/pam.d/*
>
> That said, it's generally a bad idea to have passwords on users < 500.
> It should not be possible to log into them at all, and instead you
> should rely on granting (restricted) sudo privileges to real users
> allowing them to impersonate the service user instead.
>
> So instead of allowing people to log into the box as 'oracle', they
> should log in as 'myusername' and then run 'sudo -u oracle <command>'.
> This provides better auditing support as well, since you will always
> know which real user modified your database configuration (rather than
> trying to piece together who logged in as 'oracle' directly).
Note you can also allow sudo -i which gives you an interactive shell
just like su - would, but you can control sudo configuration centrally.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list