On Thu, 23 Oct 2014, Orkhan Gasimov wrote:
And another interesting behaviour.
Say a user "netuser" is a member of a user group "netstaff",
and a host "bsd.example.com" is a member of a host group "nethosts".
We then create an HBAC rule "netstaff_to_nethosts":
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> sshd
Here you are allowing only sshd service for use.
And we create a SUDO rule "test":
Who: Specified Users and Groups -> netuser -- Access this host:
bsd.example.com -- Run Commands: Any Command
Expected result is this: user "netuser" should be able to SSH to host
"bsd.example.com" and successfully issue the command "sudo shutdown -r
now".
What happens instead: user "netuser" is able to SSH to host
"bsd.example.com", but issuing the command "sudo shutdown -r now"
produces this output (password is entered correctly):
$ shutdown -r now
Password:
Ying Tong Iddle I Po
Password:
Do you think like you type?
Password:
Have you considered trying to match wits with a rutabaga?
This is funny, and you can continue trying sudo and getting funny
outputs; but the only way for the command to work properly is to
change the HBAC rule:
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> ANY SERVICE
Is this the correct behavior? I don't remember anything like this in
FreeIPA 3.3.
Yes. The behaviour did not change since may be FreeIPA 2.0.
sudo does authenticate and authorize user first via PAM stack and then applies
own
ruleset. So HBAC rules get applied here and since you don't have
allow_all rule that would allow any user to access any service on any
host, you get denial.
Instead of using only sshd service in HBAC rule, make a service group
and add both sshd and sudo there.
Alternatively you can add multiple HBAC rules, one for sshd, one for
sudo.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
