[Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Rajnesh Kumar Siwal
rajnesh.siwal at gmail.com
Tue Feb 5 15:01:13 UTC 2013
Thanks, Bob/Simo.
On Tue, Feb 5, 2013 at 8:24 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Simo Sorce wrote:
>>
>> On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
>>>
>>> Rajnesh Kumar Siwal wrote:
>>>>
>>>> Looking into the sssd logs, I came to know there there was one more
>>>> rule allowing access:-
>>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [hbac_get_category] (5): Category is set to 'all'.
>>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
>>>> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
>>>> [Success]
>>>>
>>>> I disabled that allow_all rule, now it is fine.
>>>
>>>
>>> I don't know why that would make any difference. HBAC != sudo.
>>
>>
>> sudo uses pam so HBAC may be involved during auth
>>
>> Simo.
>>
>
> That's true but it isn't going to grant sudo access to users that aren't in
> the rule.
>
> rob
--
Regards,
Rajnesh Kumar Siwal
More information about the Freeipa-users
mailing list