[Freeipa-users] Allow user or group to switch user without password and not becoming root
Dmitri Pal
dpal at redhat.com
Wed May 13 17:31:51 UTC 2015
On 05/13/2015 01:12 PM, Andrey Ptashnik wrote:
> Thank you everyone for your help!
>
> I found two ways to implement it in IPA server and tested it. So both
> methods work in my current setup RHEL 7.1 and IPA server 4.1.0. First
> method allows user to run default terminal as a target user (bash in
> my case). Second method is using SU command, but runs it as a root
> user. So depending on security preferences either one could satisfy
> admins.
>
> ===================================
>
> *Options:*
> !authenticate
>
> *Who:*
> user1
>
> *Access this Host:*
> webserver
>
> *Run Commands:*
> /usr/bin/sudo
> /bin/bash
>
> *As Whom:*
> oracle (external user type is oracle is created locally only)
>
> How is it working:
> [user1 at webserver ~]$ *sudo -u oracle bash -i*
> [oracle at webserver user1]$
>
> ===================================
>
> *Options:*
> !authenticate
>
> *Who:*
> user1
>
> *Access this Host:*
> webserver
>
> *Run Commands:*
> /usr/bin/sudo
> /bin/su - oracle
>
> *As Whom:*
> root
>
> How is it working:
> [user1 at webserver ~]$ *sudo su - oracle*
> Last login: Wed May 13 11:41:52 CDT 2015 on pts/0
> [oracle at webserver ~]$
>
> ===================================
>
> For some reason *NOPASSWD:* option was not recognized correctly by IPA
> server. This is the output I was getting:
>
> [user1 at webserver ~]$ sudo su - oracle
> sudo: unknown defaults entry `NOPASSWD:'
> Last login: Tue May 12 15:00:31 CDT 2015 on pts/1
> Last failed login: Wed May 13 10:46:52 CDT 2015 on pts/0
> There were 7 failed login attempts since the last successful login.
> [oracle at webserver ~]$
>
> Regards,
>
> Andrey Ptashnik
>
Thank you!
Would you mind turning it into a HowTo on the freeIPA wiki?
>
> From: <Gould>, Joshua <Joshua.Gould at osumc.edu
> <mailto:Joshua.Gould at osumc.edu>>
> Date: Tuesday, May 12, 2015 at 9:41 PM
> To: "dpal at redhat.com <mailto:dpal at redhat.com>" <dpal at redhat.com
> <mailto:dpal at redhat.com>>, "freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>" <freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>>
> Subject: Re: [Freeipa-users] Allow user or group to switch user
> without password and not becoming root
>
> For the NOPASSWD option, I found that using !authenticate in the sudo
> option is what IPA wants instead.
>
> $ ipa sudorule-add-option readfiles
> Sudo Option: !authenticate
> -----------------------------------------------------
> Added option "!authenticate" to Sudo rule "readfiles"
> -----------------------------------------------------
>
> From: Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
> Organization: Red Hat
> Reply-To: "dpal at redhat.com <mailto:dpal at redhat.com>" <dpal at redhat.com
> <mailto:dpal at redhat.com>>
> Date: Tuesday, May 12, 2015 at 5:32 PM
> To: "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> Subject: Re: [Freeipa-users] Allow user or group to switch user
> without password and not becoming root
>
> On 05/12/2015 04:44 PM, Andrey Ptashnik wrote:
>> Hello Team,
>>
>> We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as
>> stack of Oracle software that require existence of local passwordless
>> users like weblogic and oracle.
>> Users log in to servers via domain accounts at IPA server.
>>
>> I’m trying to configure Sudo policy in IPA server that will allow
>> users in the company to log in to servers in IPA domain and switch to
>> weblogic or oracle user without having to enter any passwords, but
>> also without increasing their privileges to root.
>> Using plain /etc/sudoers file it can be accomplished something like
>> below:
>>
>> %users ALL = (root)
>
> Users will be who of the IPA sudo rule
>
>> NOPASSWD:
>
> This will be an option that you would put into the sudo rule
>
>> /bin/su – oracle
>
> This will be the command. You create a command and then reference it
> in the rule.
>
> At least this is what I would try.
>
>>
>> How can I configure this behavior in IPA server?
>>
>> Regards,
>>
>> Andrey
>>
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Director of Engineering for IdM portfolio
> Red Hat, Inc.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150513/dc1018b1/attachment.htm>
More information about the Freeipa-users
mailing list