[Freeipa-users] Sudo question

Thu Dec 3 15:29:30 UTC 2015

Sean Hogan wrote:
> Hi Rob,
> 
> Thanks for the suggestion. I think that is what I have though. The
> sudorule applied for this user does not have sudo as an avail command
> unless it picks up /usr/bin/sudo -u user -i which I was thinking would
> only allow sudoing to user.
> HBAC services I have for the user has sudo and no sudo -i.
> Services
> sshd
> login
> gdm
> gdm-password
> kdm
> su
> su-l
> vsftpd
> sudo
> 
> Sudo Rule
> *Sudo Allow Commands*: /sbin/iptables, /sbin/service,
> /bin/view,/bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat
> *Sudo Deny Commands*: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo
> -u root -i
> 
> Unfortunately I am really stumped on this one.

You probably have the allow_all HBAC rule enabled. If sudo-i isn't
allowed in HBAC then the pam service shouldn't be allowed at all. I'd
suggest you bump up the sssd debug level to better see what is happening.

rob

> 
> 
> 
> 
> 
> Inactive hide details for Rob Crittenden ---12/02/2015 04:26:24
> PM---Sean Hogan wrote: > Hi All,Rob Crittenden ---12/02/2015 04:26:24
> PM---Sean Hogan wrote: > Hi All,
> 
> From: Rob Crittenden <rcritten at redhat.com>
> To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users at redhat.com
> Date: 12/02/2015 04:26 PM
> Subject: Re: [Freeipa-users] Sudo question
> 
> ------------------------------------------------------------------------
> 
> 
> 
> Sean Hogan wrote:
>> Hi All,
>>
>> I have a significant amount of time on this and hoping some of you might
>> have an idea. I want to limit user bob from getting to a root prompt on
>> this test box.
>> It seems to work until bob is able to run a command he is allowed via
>> sudo such as cat. Sudo -i is on the deny command list in IPA and root is
>> local(not in IPA) with
>> nsswitch pointing to files first then sss.
>>
>> So logged on as user bob, first thing attempted was sudo -i which
>> produces wrong pw message even though it is the correct pw but it is
>> denying so fine. Then I issue sudo cat /etc/sysconfig/iptables
>> and it allows it after I enter bob's pw which is fine. However right
>> after that I try sudo -i again and get root prompt which is not good. I
>> am thinking since root is local and files first then once I sudo up root
>> is avail.
>> Any suggestions are welcome
> 
> I think you are better off using an HBAC rule to only grant sudo and not
> sudo -i.
> 
> rob
> 
>>
>>
>>
>> *[me at mine ~]$ ssh bob at server*
>> bob at servers password:
>> Last login: Time: from IP
>> Internal systems must only be used for conducting company business or
>> for purposes authorized by company management
>> Use is subject to audit at any time by company management
>> *[bob at server ~]$ sudo -i*
>> [sudo] password for bob:
>> Sorry, try again.
>> *[bob at server ~]$ sudo -i*
>> [sudo] password for bob:
>> Sorry, try again.
>> [sudo] password for bob:
>> Sorry, try again.
>> [sudo] password for bob:
>> sudo: 2 incorrect password attempts
>> *[bob at server ~]$ sudo cat /etc/sysconfig/iptables*
>> [sudo] password for bob:
>> # Firewall configuration written by system-config-firewall
>> # Manual customization of this file is not recommended.
>> *filter
>> *[bob at server ~]$ sudo -i*
>> *server.example.local:/root# cat /etc/sysconfig/iptables*
>> # Firewall configuration written by system-config-firewall
>> # Manual customization of this file is not recommended.
>> *filter
>>
>>
>>
>> ipa sudorule-show bob
>> Rule name: bob
>> Description: test sudo rule for user bob
>> Enabled: TRUE
>> Host category: all
>> Users: bob
>> Sudo Allow Commands: /sbin/iptables, /sbin/service, /bin/view,
>> /bin/bash, /bin/netstat, /usr/bin/sudo -u user -i, /bin/cat
>> Sudo Deny Commands: /usr/bin/sudo -i, /usr/bin/sudo-i, /usr/bin/sudo -u
>> root -i
>>
>> Is it just me or is white space ignored as well with sudo commands much
>> like the sudo options?
>>
>>
>>
>>
>>
>>
>> Sean Hogan
>> Security Engineer
>> Watson Security & Risk Assurance
>> Watson Cloud Technology and Support
>> email: schogan at us.ibm.com | Tel 919 486 1397
>>
>>
>>
>>
>>
>>
>>
> 
> 
> 
> 