[Freeipa-users] sudo runs despite being denied by HBAC rules

[Ian Collier]

I wrote...
> Can anyone help me to understand these logs... is there maybe a bug here?

> The basic situation is that there is no HBAC rule that would allow
> sudo.  When people try it, sss accepts their password but then denies
> them access to the sudo command.  But despite this, our logs still
> contain some entries indicating that sudo was actually run. Of course
> the sudoers file then denied them access and sent the sysadmin an
> email.

It turns out I am misinterpreting the logs.  And because the sudoers
file would normally allow me access, testing it with my own account
didn't yield the same results.

Essentially, if sudoers would deny access then it seems that sudo will
log and email the sysadmin even if the user failed to supply a correct
password.

So there isn't a problem here after all.  The user is being told their
password was incorrect and sudo goes no further.  But the email that the
sysadmin receives is the same regardless of whether sudo accepted their
password.

If I try with my account, sudo tells me my password is incorrect but
doesn't email the sysadmin, and it writes "3 incorrect password attempts"
into the log instead of "user NOT in sudoers".  Anyway, now I've added
an HBAC rule that allows the system staff (but not general users) to
run sudo, and this is working too.

Sorry for the false alarm.

Ian Collier.