[Freeipa-users] Creating another sudo rules full
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Fri Apr 28 14:01:04 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
On 04/28/2017 07:26 PM, Jason B. Nance wrote:
> Hi Dewangga,
>
>> [root at idm ~]# ipa sudorule-show sudo_rules_rekanalar Rule name:
>> sudo_rules_rekanalar Enabled: TRUE Command category: all RunAs
>> User category: all RunAs Group category: all User Groups:
>> rekanalar Host Groups: rekanalarservers Sudo Option:
>> !authenticate
>>
>> ## Client [user at server02-v2 ~]$ sudo -l [sudo] password for
>> user:
>
> The rule in your example above only matches users in the group
> "rekanalar" on servers in the host group "rekanalarservers". Is
> the user "user" in your example in that group and is the host
> "server02-v2" in your example in that host group?
Yes, usergroup `rekanalar` contain `user`, and `server02-v2` is member
of `rekanalarservers` host group. But, if I assign `user` to usergroup
`admins`, they can do sudo as root.
The goal is, member of usergroup `rekanalar` can do all sudo command
in hostgroup `rekanalarservers` only.
[root at idm ~]# ipa user-show xxx
User login: xxx
First name: xxx
Last name: [removed]
Home directory: /home/xxx
Login shell: /bin/bash
Principal name: xxx at REALM
Principal alias: xxx at REALM
Email address: [REMOVED]
UID: 1107600016
GID: 1107600016
Job Title: Rekanalar Director
SSH public key fingerprint:
51:23:68:4B:BC:17:56:11:50:E1:72:B5:0C:00:B7:B6
xxx (ssh-rsa)
Account disabled: False
Password: False
Member of groups: rekanalar
Indirect Member of Sudo rule: sudo_rules_rekanalar
Kerberos keys available: False
[root at idm ~]# ipa group-show rekanalar
Group name: rekanalar
GID: 1107600017
Member users: xxx
Member of Sudo rule: sudo_rules_rekanalar
Am I miss something?
>
> Regards,
>
> j
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJZA0sdGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcND0D/4gJ+MFRuaNX9vfuhZwtXnWGCTfhTZiwWBhp6yniAE1PvCvJ0cT
03kGLzNHTp/EPyysXK/oT8yei09B475UFERxfG2rCdY0AN9aCpOHjxQKgWWFw7LJ
3ntLQNoVEFBqpHoa7fbsBpXiKuonqnt0wV1qCNJKUF8z/62TgdsFUmrO7qjMvUbd
FIBCQu2sCZ4Hx4duS8JpHgl9SJSGZkDRJN7XUpnd6bC2+zgUDfkAf74czwbjHQpb
yitDmWslG+V3KpZDcbuMFLhNtwOVVavhhEqacqMoMkuEpSHtHk8oF0CvD/YhuiKv
WUpzyDzLCx1u7xkRBTSRVRouzOi1WvEZ3JVnWSkFFExOW8SNWjpJhXF5ij4kBRF3
CRuKGys65SJA1HSUtH5eIPvXAYGxP+bJsoy72vyFZcy04+Jql9NRIHIMWZaZLe5Z
+qdbhxpBxuCSua1ddMBnGUP/UAmGER0SsxbXq5k6ZjHo9PHwrOlxHZlPyHylbfLr
Go1t2phtam410Rv8oMBB+6vO17QWduGZtBpXxSUXP+hvosE72FkLYnn5IOBIrKvC
Z0GK1jLFDtMU79JECkjm/wfKywgq9XjcyodG6aMaD2iaVqSWhqfphBHm0nbSnEXz
IpDT/WfK0uZkJUaIWYZ3dI7Iv9QCfwwVoWKaKjLkM9ReATti6ks/LYDz8Q==
=TP6o
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list