[Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Rob Crittenden
rcritten at redhat.com
Tue Feb 5 14:54:58 UTC 2013
Simo Sorce wrote:
> On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
>> Rajnesh Kumar Siwal wrote:
>>> Looking into the sssd logs, I came to know there there was one more
>>> rule allowing access:-
>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>> [hbac_get_category] (5): Category is set to 'all'.
>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>> [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
>>> [Success]
>>>
>>> I disabled that allow_all rule, now it is fine.
>>
>> I don't know why that would make any difference. HBAC != sudo.
>
> sudo uses pam so HBAC may be involved during auth
>
> Simo.
>
That's true but it isn't going to grant sudo access to users that aren't
in the rule.
rob
More information about the Freeipa-users
mailing list