[Freeipa-users] hbac service allowed despite not listed
Winfried de Heiden
wdh at dds.nl
Tue Nov 24 14:32:07 UTC 2015
Hi all,
The problem is clear, there is a misunderstanding of the service "su"
and "su-l", this is about the target users. Hence; su - to user winfried
is allowed since su and su-l are added to the hbac service list of this
user.
This looks a bit strange from the ui perspective, all other HBAC
services are what this user is allow to do; "su" and "su-l" defines that
OTHER user may become this user by using su.
A bit strange, but this is how is works. Anyone disagree?
Winny
Op 24-11-15 om 14:04 schreef Jakub Hrozek:
> On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote:
>> Hi all,
>>
>> [winfried at ipa ~]$ ipa hbacrule-show allow_all
>> Rule name: allow_all
>> User category: all
>> Host category: all
>> Service category: all
>> Description: Allow all users to access any host from any host
>> Enabled: FALSE
>>
>> [winfried at ipa ~]$ ipa hbacrule-show testuser
>> Rule name: testuser
>> Enabled: TRUE
>> Users: testuser
>> Hosts: fedora23-server.blabla.bla
>> Services: sshd
>>
>> [winfried at ipa ~]$ ipa user-show winfried
>> User login: winfried
>> First name: Winfried
>> Last name: de Heiden
>> Home directory: /home/winfried
>> Login shell: /bin/bash
>> etc. .etc.
>>
>> [winfried at ipa ~]$ ipa user-show testuser
>> User login: testuser
>> First name: test
>> Last name: user
>> Home directory: /home/testuser
>> Login shell: /bin/bash
>> Email address: testuser at blabla.bla
>> UID: 10005
>> GID: 10005
>> Account disabled: False
>> Password: True
>> Member of groups: ipausers
>> Member of HBAC rule: testuser
>> Kerberos keys available: True
>>
>>
>>
>> [[testuser at fedora23-server ~]$ su winfried
>> Wachtwoord:
>> [winfried at fedora23-server testuser]$ id
>> UID=10001(winfried) GID=10001(winfried)
>> groepen=10001(winfried),10000(admins),10003(linuxadmins),10004(linuxusers)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> So yes, I can su to another IPA-user :(
>>
>> sssd_pam now shows information, but nothing seems to go wrong...
> I think you forgot to CC freeipa-users.
>
> In this case, can you look into /var/log/secure again and into the
> domain logs?
>
>> What's happening?
>>
>> Winny
>>
>> Op 24-11-15 om 11:43 schreef Jakub Hrozek:
>>> On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
>>>> Hi all,
>>>>
>>>> Running as an ordinary user, straight from the beginning.
>>>>
>>>> Is the (default) suid of/usr/bin/su causing this?
>>>> Anyway: the info requested:
>>>>
>>>> /var/log/secure will tell:
>>>> Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
>>>> session: Already running in a session
>>>> Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
>>>> for user root by testuser(uid=10005)
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> Sorry, I missed this previously. So you're running "su -" as testuser
>>> right? That's not hitting SSSD, because the target user is root, so "su"
>>> would do:
>>> pam_start("su", "root", ...)
>>> pam_authenticate();
>>>
>>> So what you're seeing is expected. Try su-ing to testuser from another
>>> non-root user, it's going to fail.
More information about the Freeipa-users
mailing list