[Freeipa-users] How to use sudo rules on ubuntu

Tevfik Ceydeliler tevfik.ceydeliler at astron.yasar.com.tr
Tue Sep 2 08:02:34 UTC 2014 

Step 0
root at clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf
sudoers_debug:    1
sudoers: files sss

root at clnt:/home/awtadm# ipa-client-install --no-ntp
IPA client is already configured on this system.

root at clnt:/home/awtadm# grep services /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo


Step1 (there is some problem when create rule on CLI. No problem prompt 
on Web-based)
...
[root at srv ~]# ipa sudorule-add-option readfiles
Sudo Option: !authenticate
ipa: ERROR: no such entry

...
  Then:
awtadm at clnt:~$ su user1
Password:
user1 at clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1 at clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0
user1 at clnt:/home/awtadm$ id
uid=1423400004(user1) gid=1423400004(user1) groups=1423400004(user1)
user1 at clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1 at clnt:/home/awtadm$ exit
exit
awtadm at clnt:~$ su user1
Password:
user1 at clnt:/home/awtadm$ id
uid=1423400004(user1) gid=1423400004(user1) groups=1423400004(user1)
user1 at clnt:/home/awtadm$ sudo -l
[sudo] password for user1:
Sorry, user user1 may not run sudo on clnt.
user1 at clnt:/home/awtadm$ /usr/bin/less /etc/shadow |wc -l
/etc/shadow: Permission denied
0
user1 at clnt:/home/awtadm$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not in the sudoers file.  This incident will be reported.
0

--OR--

Darktower tevfik # ssh user1 at 10.1.1.174
The authenticity of host '10.1.1.174 (10.1.1.174)' can't be established.
ECDSA key fingerprint is 37:32:fc:ca:34:ce:4c:07:e8:b6:f6:56:75:98:69:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.174' (ECDSA) to the list of known hosts.
user1 at 10.1.1.174's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

  * Documentation:  https://help.ubuntu.com/

Last login: Mon Sep  1 17:50:02 2014 from 10.65.8.100
user1 at clnt:~$ sudo /usr/bin/less /etc/shadow |wc -l
[sudo] password for user1:
user1 is not allowed to run sudo on clnt.  This incident will be reported.
0
user1 at clnt:~$ sudo -l
[sudo] password for user1:
User user1 is not allowed to run sudo on clnt.



On 01-09-2014 19:05, Lukas Slebodnik wrote:
> On (01/09/14 17:52), Tevfik Ceydeliler wrote:
>> 1. I think I configure instead of this document
> Sorry you didn't.
>
>> 2. I can login with ordinary user
> login and sudo are not the same think.
>
> My FreeIPA server is alredy properly configured with sudo rules.
> I tried to install freipa-client on ubuntu 14.04 and it owrked without any
> problem.
>
>>> Step 0: Install freipa-client on ubuntu 14.04 and configure sudo integration
> root at ubuntu1404:/# ipa-client-install --no-ntp
> root at ubuntu1404:/# echo "sudoers: files sss" >> /etc/nsswitch.conf
>
> root at ubuntu1404:/# grep services /etc/sssd/sssd.conf
> services = nss, pam
> root at ubuntu1404:/# sed -i -e 's/\(services.*\)/\1, sudo/' /etc/sssd/sssd.conf
> root at ubuntu1404:/# grep services /etc/sssd/sssd.conf
> services = nss, pam, sudo
>
>>> Step 1: configure sudo rules for ordinary user
>>>      Please follow the instructions from FreeIPA documentation.
>>>      http://www.freeipa.org/docs/master/html-desktop/index.html#sudo
>>>
>    This step was skipped, becuase it was already done few months ago :-)
>
>>> Step 2: login to machine as ordinary user, which is allowed to use sudo.
> $ su usersssd01
> Password:
> $ id
> uid=325600011(usersssd01) gid=325600011(usersssd01) groups=325600011(usersssd01),30011(biggroup1)
>
>>> Step 3: run command
>>>      sudo -l
>>>      // this command should show you which commands can be executed as root
>>>      // with sudo
> $ sudo -l
> sudo: unable to resolve host ubuntu1404.example.test
> [sudo] password for usersssd01:
> Matching Defaults entries for usersssd01 on ubuntu1404:
>      env_reset, mail_badpass,
>      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>
> User usersssd01 may run the following commands on ubuntu1404:
>      (root) /usr/bin/less, /usr/bin/vim
>
>>> Step 4: If there weren't any problems then user will be able to run command.
>>>      sudo some_command_listed_in_step3
> $ sudo /usr/bin/less /etc/shadow | wc -l
> 21
> $ echo $?
> 0
>
> $ sudo apt-get install mc
> Sorry, user usersssd01 is not allowed to execute '/usr/bin/apt-get install mc' as root on ubuntu.example.test.
> $ echo $?
> 1
>
> LS

-- 


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140902/9b2d2b60/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15216 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140902/9b2d2b60/attachment.png>

More information about the Freeipa-users mailing list