[Freeipa-users] Re: sudo Problem on AIX
On 12.10.23 09:57, Ronald Wimmer via FreeIPA-users wrote: We do have two users with the same name. One exists locally. The other one comes from IPA. The problem is that the sudo rules also show up for the local user. I know you do not officially support AIX... but would there probably be a solution apart from naming these two users differently? I don't think, that this can be solved on FreeIPA side. And also on AIX it is difficult. You can look with lsuser for the registry attribute, but I don't know any way to use this in sudo rules. In general: I would say: try to avoid thos naming conflicts. Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: prevent 'sudo -i ' from executing
On 21.09.23 20:14, Rob Crittenden via FreeIPA-users wrote: Ulf Volmer via FreeIPA-users wrote: So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell? That's great! I should try to look into it. Not really. If you allow sudo to be executed then you're back to the same issues. What the original poster ask for was a way to not allow users to run sudo-i. That is possible with HBAC. In this case maybe the OP ask the wrong question. I assumed, he don't want to disallow only 'sudo -i', I thought he want to disable all shell access, so 'sudo bash' and so on. But maybe I was wrong. Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: prevent 'sudo -i ' from executing
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote: HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled. If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule. So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell? That's great! I should try to look into it. Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: prevent 'sudo -i ' from executing
On 21.09.23 18:21, Nathanaƫl Blanchet via FreeIPA-users wrote: I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from executing 'sudo su -', but I didn't find any informations about forbidding 'sudo -i'. There is not good solution for. You can try something like username ALL=(ALL) ALL, !/usr/bin/bash, !/usr/bin/vi But you have to specify all dangerous command like vi, strace and so on. So please avoid this. To be safe, you have to define a whitelist of commands. Or to trust your users. Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote: For a test setup I try to get running a FreeIPA server within a docker container(DinD). But I get some errors and I don't know why. 1. Create docker in docker container => docker run --privileged -itd --name docker_swarm -v /sys/fs/cgroup:/sys/fs/cgroup docker 2. Connect to docker container and run the FreeIPA server => docker exec -it docker_swarm \ sh -c "docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp" The error I get is: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown. ERRO[0038] error waiting for container: From my knowledge: * We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup (from both commands) * you need cgroup nesting, please read the link below: https://github.com/containerd/containerd/issues/6659 Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
