[Freeipa-users] hbac service allowed despite not listed

Jakub Hrozek jhrozek at redhat.com
Tue Nov 24 10:36:25 UTC 2015 

On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
>    Hi all,
> 
>    Running as an ordinary user, straight from the beginning.
> 
>    Is the (default) suid of/usr/bin/su causing this?
>     
>    Anyway: the info requested:
> 
>    /var/log/secure will tell:
>    Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
>    session: Already running in a session
>    Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
>    for user root by testuser(uid=10005)

Interesting, there is even no account message at all...not even auth
message?

> 
>    De pam.d files are from a clean fresh Fedora23 install and
>    ipa-client-install afterwards:
> 
>    /etc/pam.d/su
>    #%PAM-1.0
>    auth        sufficient    pam_rootok.so
>    # Uncomment the following line to implicitly trust users in the "wheel"
>    group.
>    #auth        sufficient    pam_wheel.so trust use_uid
>    # Uncomment the following line to require a user to be in the "wheel"
>    group.
>    #auth        required    pam_wheel.so use_uid
>    auth        substack    system-auth
>    auth        include        postlogin
>    account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
>    account        include        system-auth

...yet clearly here su includes system_auth unless pam_succeed_if ran
(which should only happen if you ran su as root)

Just to be sure, can you comment out the pam_succeed_if.so line?

>    password    include        system-auth
>    session        include        system-auth
>    session        include        postlogin
>    session        optional    pam_xauth.so
> 
>    /etc/pam.d/postlogin
>    #%PAM-1.0
>    # This file is auto-generated.
>    # User changes will be destroyed the next time authconfig is run.
>    session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm*
>    service !~ su* quiet
>    session     [default=1]   pam_lastlog.so nowtmp silent
>    session     optional      pam_lastlog.so silent noupdate showfailed
> 
>    /etc/pam.d/system-auth
>    #%PAM-1.0
>    # This file is auto-generated.
>    # User changes will be destroyed the next time authconfig is run.
>    auth        required      pam_env.so
>    auth        [default=1 success=ok] pam_localuser.so
>    auth        [success=done ignore=ignore default=die] pam_unix.so nullok
>    try_first_pass
>    auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
>    auth        sufficient    pam_sss.so forward_pass
>    auth        required      pam_deny.so
> 
>    account     required      pam_unix.so
>    account     sufficient    pam_localuser.so
>    account     sufficient    pam_succeed_if.so uid < 1000 quiet
>    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>    account     required      pam_permit.so
> 
>    password    requisite     pam_pwquality.so try_first_pass local_users_only
>    retry=3 authtok_type=
>    password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
>    use_authtok
>    password    sufficient    pam_sss.so use_authtok
>    password    required      pam_deny.so
> 
>    session     optional      pam_keyinit.so revoke
>    session     required      pam_limits.so
>    -session     optional      pam_systemd.so
>    session     optional      pam_oddjob_mkhomedir.so umask=0077
>    session     [success=1 default=ignore] pam_succeed_if.so service in crond
>    quiet use_uid
>    session     required      pam_unix.so
>    session     optional      pam_sss.so
> 
>    Op 24-11-15 om 10:37 schreef Jakub Hrozek:
> 
>  re you running su as an ordinary user or root? What does appear in
>  /var/log/secure when you run su ?
> 
>  Can you show what is the /etc/pam.d/su config and the config of the
>  service that is included from /etc/pam.d/su ? (typically system-auth)

More information about the Freeipa-users mailing list