[Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

Alexander Bokovoy abokovoy at redhat.com
Thu Oct 23 13:41:55 UTC 2014 

On Thu, 23 Oct 2014, Orkhan Gasimov wrote:
>And another interesting behaviour.
>
>Say a user "netuser" is a member of a user group "netstaff",
>and a host "bsd.example.com" is a member of a host group "nethosts".
>We then create an HBAC rule "netstaff_to_nethosts":
>
>Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- 
>Via Service: Specified Services and Groups -> sshd
Here you are allowing only sshd service for use.

>
>And we create a SUDO rule "test":
>
>Who: Specified Users and Groups -> netuser -- Access this host: 
>bsd.example.com -- Run Commands: Any Command
>
>Expected result is this: user "netuser" should be able to SSH to host 
>"bsd.example.com" and successfully issue the command "sudo shutdown -r 
>now".
>
>What happens instead: user "netuser" is able to SSH to host 
>"bsd.example.com", but issuing the command "sudo shutdown -r now" 
>produces this output (password is entered correctly):
>
>$ shutdown -r now
>Password:
>Ying Tong Iddle I Po
>Password:
>Do you think like you type?
>Password:
>Have you considered trying to match wits with a rutabaga?
>
>This is funny, and you can continue trying sudo and getting funny 
>outputs; but the only way for the command to work properly is to 
>change the HBAC rule:
>
>Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts -- 
>Via Service: Specified Services and Groups -> ANY SERVICE
>
>Is this the correct behavior? I don't remember anything like this in 
>FreeIPA 3.3.
Yes. The behaviour did not change since may be FreeIPA 2.0.

sudo does authenticate and authorize user first via PAM stack and then applies own
ruleset. So HBAC rules get applied here and since you don't have
allow_all rule that would allow any user to access any service on any
host, you get denial.

Instead of using only sshd service in HBAC rule, make a service group
and add both sshd and sudo there.

Alternatively you can add multiple HBAC rules, one for sshd, one for
sudo.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list