Ulf Volmer via FreeIPA-users wrote: > On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote: > >> HBAC can do this better. >> HBAC controls who is allowed to use PAM services. sudo-i is a PAM >> service. It is allowed now, I'm assuming, because you have the HBAC >> allow_all rule enabled. >> >> If you disable or delete it then nobody will do anything so be careful. >> Everything, including ssh, is denied by default without this rule. > > > So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent > him from escaping and start a shell? > > That's great! I should try to look into it.
Not really. If you allow sudo to be executed then you're back to the same issues. What the original poster ask for was a way to not allow users to run sudo-i. That is possible with HBAC. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue