On 21/09/2023 18:30, Ulf Volmer via FreeIPA-users wrote:
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.
If you disable or delete it then nobody will do anything so be careful.
Everything, including ssh, is denied by default without this rule.
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent
him from escaping and start a shell?
No, HBAC controls whether a user can use the 'sudo' and/or 'sudo-i' PAM
services.
If a user can use the 'sudo' PAM service then they are able to launch
sudo with a command line of their choice. sudo rules then determine
whether sudo will accept or reject that command line.
If the sudo rules let the user run 'vim' then it's game over. Same
applies for most other programs unless proven safe!
The sudo-users mailing list
<https://www.sudo.ws/mailman/listinfo/sudo-users> is probably a good
place to ask for help with writing sudo rules.
One tool you have is the 'sudoedit' command. This lets you allow a user
to edit files without running their editor as root.
However you still have to think very carefully about which files they're
able to edit!
For instance, if you let them edit /etc/fstab then they can create a
filesystem image containing a setuid executable, and then allow
themselves to mount it by adding an fstab entry with the 'user' option...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
