[Freeipa-users] hbac service allowed despite not listed
Sumit Bose
sbose at redhat.com
Mon Nov 23 16:47:34 UTC 2015
On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote:
> On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
> > Hi all,
> >
> > I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
> >
> > # ipa hbacrule-show testuser
> > Rule name: testuser
> > Enabled: TRUE
> > Users: testuser
> > Hosts: fedora23-server.blabla.bla
> > Services: sshd
> >
> > Hence, " testuser" is only allowed using sshd on "fedora23-server". No
> > surprise, this user is not allowed to use "su":
> >
> > # ipa hbactest --user testuser --host fedora23-server.blabla.bla --service
> > su
> > ---------------------
> > Access granted: False
> >
> > (and yeah sshd is allowed)
> >
> > However, doing a "su" on the fedora23-server.blabla.bla, and giving the
> > correct password, access is granted. This user is not a member of any
> > other groups.
> > HBAC Services like cron or console access are denied correctly since they
> > are not in the HBAC service list.
> >
> > I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several
> > other ipa-clients (RHEL/CentoOS 6.x, 7.x)
> >
> > Shouldn't su or su -l be denied when not listed?
>
> Yes, and in my testing with a similar rule:
>
> $ ipa hbacrule-show allow_sshd
> Rule name: allow_sshd
> Enabled: TRUE
> Users: admin
> Hosts: client.ipa.test
> Services: sshd
>
> admin can ssh to client.ipa.test but it's not possible to su to admin.
>
> Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting and check
> /var/log/secure and the sssd logs.
>
> Also, you're not calling su as root, are you?
Have you disabled the allow_all rule?
bye,
Sumit
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list