On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled. If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule.
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell?
That's great! I should try to look into it. Best regards Ulf _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue