[Freeipa-users] hbac service allowed despite not listed
Jakub Hrozek
jhrozek at redhat.com
Mon Nov 23 16:16:26 UTC 2015
On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
>
> # ipa hbacrule-show testuser
> Rule name: testuser
> Enabled: TRUE
> Users: testuser
> Hosts: fedora23-server.blabla.bla
> Services: sshd
>
> Hence, " testuser" is only allowed using sshd on "fedora23-server". No
> surprise, this user is not allowed to use "su":
>
> # ipa hbactest --user testuser --host fedora23-server.blabla.bla --service
> su
> ---------------------
> Access granted: False
>
> (and yeah sshd is allowed)
>
> However, doing a "su" on the fedora23-server.blabla.bla, and giving the
> correct password, access is granted. This user is not a member of any
> other groups.
> HBAC Services like cron or console access are denied correctly since they
> are not in the HBAC service list.
>
> I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several
> other ipa-clients (RHEL/CentoOS 6.x, 7.x)
>
> Shouldn't su or su -l be denied when not listed?
Yes, and in my testing with a similar rule:
$ ipa hbacrule-show allow_sshd
Rule name: allow_sshd
Enabled: TRUE
Users: admin
Hosts: client.ipa.test
Services: sshd
admin can ssh to client.ipa.test but it's not possible to su to admin.
Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting and check
/var/log/secure and the sssd logs.
Also, you're not calling su as root, are you?
More information about the Freeipa-users
mailing list