[Freeipa-users] Sudo question

Rob Crittenden rcritten at redhat.com
Wed Dec 2 23:26:16 UTC 2015 

Sean Hogan wrote:
> Hi All,
> 
> I have a significant amount of time on this and hoping some of you might
> have an idea. I want to limit user bob from getting to a root prompt on
> this test box.
> It seems to work until bob is able to run a command he is allowed via
> sudo such as cat. Sudo -i is on the deny command list in IPA and root is
> local(not in IPA) with
> nsswitch pointing to files first then sss.
> 
> So logged on as user bob, first thing attempted was sudo -i which
> produces wrong pw message even though it is the correct pw but it is
> denying so fine. Then I issue sudo cat /etc/sysconfig/iptables
> and it allows it after I enter bob's pw which is fine. However right
> after that I try sudo -i again and get root prompt which is not good. I
> am thinking since root is local and files first then once I sudo up root
> is avail.
> Any suggestions are welcome

I think you are better off using an HBAC rule to only grant sudo and not
sudo -i.

rob

> 
> 
> 
> *[me at mine ~]$ ssh bob at server*
> bob at servers password:
> Last login: Time: from IP
> Internal systems must only be used for conducting company business or
> for purposes authorized by company management
> Use is subject to audit at any time by company management
> *[bob at server ~]$ sudo -i*
> [sudo] password for bob:
> Sorry, try again.
> *[bob at server ~]$ sudo -i*
> [sudo] password for bob:
> Sorry, try again.
> [sudo] password for bob:
> Sorry, try again.
> [sudo] password for bob:
> sudo: 2 incorrect password attempts
> *[bob at server ~]$ sudo cat /etc/sysconfig/iptables*
> [sudo] password for bob:
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> *[bob at server ~]$ sudo -i*
> *server.example.local:/root# cat /etc/sysconfig/iptables*
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> 
> 
> 
> ipa sudorule-show bob
> Rule name: bob
> Description: test sudo rule for user bob
> Enabled: TRUE
> Host category: all
> Users: bob
> Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view,
> /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat
> Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u
> root -i
> 
> Is it just me or is white space ignored as well with sudo commands much
> like the sudo options?
> 
> 
> 
> 
> 
> 
> Sean Hogan
> Security Engineer
> Watson Security & Risk Assurance
> Watson Cloud Technology and Support
> email: schogan at us.ibm.com | Tel 919 486 1397
> 
> 
> 
> 
> 
> 
>

More information about the Freeipa-users mailing list