[Freeipa-users] hbac service allowed despite not listed

Winfried de Heiden wdh at dds.nl
Tue Nov 24 14:32:07 UTC 2015 

Hi all,

The problem is clear, there is a misunderstanding of the service "su" 
and "su-l", this is about the target users. Hence; su - to user winfried 
is allowed since su and su-l are added to the hbac service list of this 
user.

This looks a bit strange from the ui perspective, all other HBAC 
services are what this user is allow to do; "su" and "su-l" defines that 
OTHER user may become this user by using su.

A bit strange, but this is how is works. Anyone disagree?

Winny





Op 24-11-15 om 14:04 schreef Jakub Hrozek:
> On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote:
>> Hi all,
>>
>> [winfried at ipa ~]$ ipa hbacrule-show allow_all
>>    Rule name: allow_all
>>    User category: all
>>    Host category: all
>>    Service category: all
>>    Description: Allow all users to access any host from any host
>>    Enabled: FALSE
>>
>> [winfried at ipa ~]$ ipa hbacrule-show testuser
>>    Rule name: testuser
>>    Enabled: TRUE
>>    Users: testuser
>>    Hosts: fedora23-server.blabla.bla
>>    Services: sshd
>>
>> [winfried at ipa ~]$ ipa user-show winfried
>>    User login: winfried
>>    First name: Winfried
>>    Last name: de Heiden
>>    Home directory: /home/winfried
>>    Login shell: /bin/bash
>> etc. .etc.
>>
>> [winfried at ipa ~]$ ipa user-show testuser
>>    User login: testuser
>>    First name: test
>>    Last name: user
>>    Home directory: /home/testuser
>>    Login shell: /bin/bash
>>    Email address: testuser at blabla.bla
>>    UID: 10005
>>    GID: 10005
>>    Account disabled: False
>>    Password: True
>>    Member of groups: ipausers
>>    Member of HBAC rule: testuser
>>    Kerberos keys available: True
>>
>>
>>
>> [[testuser at fedora23-server ~]$ su winfried
>> Wachtwoord:
>> [winfried at fedora23-server testuser]$ id
>> UID=10001(winfried) GID=10001(winfried)
>> groepen=10001(winfried),10000(admins),10003(linuxadmins),10004(linuxusers)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> So yes, I can su to another IPA-user :(
>>
>> sssd_pam now shows information, but nothing seems to go wrong...
> I think you forgot to CC freeipa-users.
>
> In this case, can you look into /var/log/secure again and into the
> domain logs?
>
>> What's happening?
>>
>> Winny
>>
>> Op 24-11-15 om 11:43 schreef Jakub Hrozek:
>>> On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
>>>>     Hi all,
>>>>
>>>>     Running as an ordinary user, straight from the beginning.
>>>>
>>>>     Is the (default) suid of/usr/bin/su causing this?
>>>>     Anyway: the info requested:
>>>>
>>>>     /var/log/secure will tell:
>>>>     Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
>>>>     session: Already running in a session
>>>>     Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
>>>>     for user root by testuser(uid=10005)
>>>           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> Sorry, I missed this previously. So you're running "su -" as testuser
>>> right? That's not hitting SSSD, because the target user is root, so "su"
>>> would do:
>>>      pam_start("su", "root", ...)
>>>      pam_authenticate();
>>>
>>> So what you're seeing is expected. Try su-ing to testuser from another
>>> non-root user, it's going to fail.

More information about the Freeipa-users mailing list