[Freeipa-users] Sudo question

Sean Hogan schogan at us.ibm.com
Wed Dec 2 22:20:27 UTC 2015 

Hi All,

  I have a significant amount of time on this and hoping some of you might
have an idea.  I want to limit user bob from getting to a root prompt on
this test box.
It seems to work until bob is able to run a command he is allowed via sudo
such as cat.  Sudo -i is on the deny command list in IPA and root is local
(not in IPA) with
nsswitch pointing to files first then sss.

So logged on as user bob, first thing attempted was sudo -i which produces
wrong pw message even though it is the correct pw but it is denying so
fine.  Then I issue sudo cat /etc/sysconfig/iptables
and it allows it after I enter bob's pw which is fine.  However right after
that I try sudo -i again and get root prompt which is not good.  I am
thinking since root is local and files first then once I sudo up root is
avail.
Any suggestions are welcome



[me at mine ~]$ ssh bob at server
bob at servers password:
Last login:  Time: from IP
Internal systems must only be used for conducting company business or for
purposes authorized by company management
Use is subject to audit at any time by company management
[bob at server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[bob at server ~]$ sudo -i
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
sudo: 2 incorrect password attempts
[bob at server ~]$ sudo cat /etc/sysconfig/iptables
[sudo] password for bob:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
[bob at server ~]$ sudo -i
server.example.local:/root# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter



  ipa sudorule-show bob
  Rule name: bob
  Description: test sudo rule for user bob
  Enabled: TRUE
  Host category: all
  Users: bob
  Sudo Allow Commands: /sbin/iptables, /sbin/service,  /bin/view,
                       /bin/bash, /bin/netstat, /usr/bin/sudo -u user
-i, /bin/cat
  Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u
root -i

Is it just me or is white space ignored as well with sudo commands much
like the sudo options?






Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: schogan at us.ibm.com | Tel 919 486 1397





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151202/b890e362/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0B986619.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151202/b890e362/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0B213315.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151202/b890e362/attachment.gif>

More information about the Freeipa-users mailing list