[Freeipa-users] sudo rule working even after the user has been removed from the sudo rule

Rajnesh Kumar Siwal rajnesh.siwal at gmail.com
Mon Feb 4 10:24:31 UTC 2013 

I deleted the following entry from the IPA WebUI "All Except Shell"
(Sudo Role) but ldapsearch still fetches it (Effectively sudo works
after the deletion of the rule) :-

dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ctsadmin
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
cn: All Except Shell

Is it present in cache somewhere ?

On Mon, Feb 4, 2013 at 2:18 PM, Rajnesh Kumar Siwal
<rajnesh.siwal at gmail.com> wrote:
> Looking into the sssd logs, I came to know there there was one more
> rule allowing access:-
> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> [hbac_get_category] (5): Category is set to 'all'.
> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
> [Success]
>
> I disabled that allow_all rule, now it is fine.
>
> On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal
> <rajnesh.siwal at gmail.com> wrote:
>> Here is the outuput of ldapsearch :-
>> dn: cn=Admins,ou=sudoers,dc=example,dc=com
>> objectClass: sudoRole
>> sudoUser: %ctsadmin
>> sudoHost: ALL
>> sudoCommand: ALL
>> sudoRunAsUser: ALL
>> cn: Admins
>>
>> The rule still says that the group ctsadmin is allowed (Which should
>> not happen after I remove the ctsadmin group from sudo access)
>> On the IPA Web Interface there is not sudo role attached to the  User
>> "rsiwal" (Neither Direct nor Indirect).
>> May be there is some bug.
>>
>>
>> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal
>> <rajnesh.siwal at gmail.com> wrote:
>>> Hi all,
>>>
>>> I have just created a setup for sudo on the IPA Server 2.2.
>>> I modified nsswitch.conf to use ldap.
>>> ldap.conf has been modified to fetch sudo users from the IPA Server.
>>>
>>> Now, th euser in group "admin" can do sudo.
>>>       1. rsiwal being a user of group sudo can run all commands as sudo (FINE)
>>>       2. If I disable the rule "Admins" (that I admin group access to
>>> sudo), the sudo still works for the user rsiwal (Which should not work
>>> logically).
>>>       3. Removed the group "Admins" (including rsiwal) from the Sudo
>>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It
>>> should Fail)
>>>
>>> Is there some kind of caching being at the Server / client end ?
>>>
>>> --
>>> Regards,
>>> Rajnesh Kumar Siwal
>>
>>
>>
>> --
>> Regards,
>> Rajnesh Kumar Siwal
>
>
>
> --
> Regards,
> Rajnesh Kumar Siwal



-- 
Regards,
Rajnesh Kumar Siwal

More information about the Freeipa-users mailing list