From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White Sent: Wednesday, April 08, 2015 4:53 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] granular sudo commands
rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su - weblogic How should the actual command be entered? I have tried... Su - weblogic (ignore autocapitilization) /bin/su - weblogic Sudo su - weblogic Sudo /bin/su - weblogic But none seem to actually work Answering my own question - really complicated testing because sss_cache has no way of clearing cached sudo rules in the version I am using, I found that keeping a root shell on the test system and... rm /var/lib/sss/db/cache*.ldb And Restarting sssd Allowed me to actually change rules for testing purposes. /bin/su - weblogic Was the rule that actually worked
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project