[Freeipa-users] hbac service allowed despite not listed
Jakub Hrozek
jhrozek at redhat.com
Tue Nov 24 10:36:25 UTC 2015
On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Running as an ordinary user, straight from the beginning.
>
> Is the (default) suid of/usr/bin/su causing this?
>
> Anyway: the info requested:
>
> /var/log/secure will tell:
> Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
> session: Already running in a session
> Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
> for user root by testuser(uid=10005)
Interesting, there is even no account message at all...not even auth
message?
>
> De pam.d files are from a clean fresh Fedora23 install and
> ipa-client-install afterwards:
>
> /etc/pam.d/su
> #%PAM-1.0
> auth sufficient pam_rootok.so
> # Uncomment the following line to implicitly trust users in the "wheel"
> group.
> #auth sufficient pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel"
> group.
> #auth required pam_wheel.so use_uid
> auth substack system-auth
> auth include postlogin
> account sufficient pam_succeed_if.so uid = 0 use_uid quiet
> account include system-auth
...yet clearly here su includes system_auth unless pam_succeed_if ran
(which should only happen if you ran su as root)
Just to be sure, can you comment out the pam_succeed_if.so line?
> password include system-auth
> session include system-auth
> session include postlogin
> session optional pam_xauth.so
>
> /etc/pam.d/postlogin
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> session [success=1 default=ignore] pam_succeed_if.so service !~ gdm*
> service !~ su* quiet
> session [default=1] pam_lastlog.so nowtmp silent
> session optional pam_lastlog.so silent noupdate showfailed
>
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth [default=1 success=ok] pam_localuser.so
> auth [success=done ignore=ignore default=die] pam_unix.so nullok
> try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> Op 24-11-15 om 10:37 schreef Jakub Hrozek:
>
> re you running su as an ordinary user or root? What does appear in
> /var/log/secure when you run su ?
>
> Can you show what is the /etc/pam.d/su config and the config of the
> service that is included from /etc/pam.d/su ? (typically system-auth)
More information about the Freeipa-users
mailing list