On 21/09/2023 18.21, Nathanaƫl Blanchet via FreeIPA-users wrote:
Hello,
I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from executing 'sudo su -', but I didn't find
any informations about forbidding 'sudo -i'.
You can limit which commands a user can execute, the hosts, and target
user/group with sudo rules and HBAC rules:
- https://freeipa.readthedocs.io/en/latest/workshop/8-sudorule.html
-
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/granting-sudo-access-to-an-idm-user-on-an-idm-client_configuring-and-managing-idm
The restrictions also allow you to block sudo -i and su -i either with a
custom HBAC rule (you need to disable the default allowed_all rule) or
with additional allow/deny commands for your sudo rule. "sudo -i" is
just an alias for "run user's default shell as login shell". You could
block all login shells. If you want a more secure rule, then only allow
a well-defined list of commands and arguments.
Example:
$ sudo -i
Sorry, user testuser is not allowed to execute '/bin/bash' as root on
client.ipa.example.
$ sudo -l
Matching Defaults entries for testuser on client:
!visiblepw, always_set_home, match_group_by_gid,
always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User testuser may run the following commands on client:
(ALL : ALL) NOPASSWD: !/usr/bin/zsh, !/usr/bin/sudo, !/usr/bin/su,
!/usr/bin/sh, !/usr/bin/ksh, !/usr/bin/bash
$ ipa sudorule-show example-sudo
Rule name: example-sudo
Enabled: True
RunAs User category: all
RunAs Group category: all
Users: testuser
Host Groups: example-hosts
Sudo Deny Command Groups: shells_sudo
Sudo Option: !authenticate
$ ipa sudocmdgroup-show shells_sudo
Sudo Command Group: shells_sudo
Member Sudo commands: /usr/bin/bash, /usr/bin/ksh, /usr/bin/sh,
/usr/bin/su, /usr/bin/sudo, /usr/bin/zsh
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue