From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White
Sent: Wednesday, April 08, 2015 4:53 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] granular sudo commands
rpm -q sssd
sssd-1.11.6-30.el6_6.4.x86_64
rpm -q ipa-client
ipa-client-3.0.0-42.el6.x86_64
[test2.user@app001 ~]$ sudo su - weblogic
[sudo] password for test2.user:
Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root
on app001.stt.local.
[test2.user@app001 ~]$ sudo -l
[sudo] password for test2.user:
Matching Defaults entries for test2.user on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User test2.user may run the following commands on this host:
(ALL) sudo su - tomcat, sudo su - weblogic
How should the actual command be entered? I have tried...
Su - weblogic (ignore autocapitilization)
/bin/su - weblogic
Sudo su - weblogic
Sudo /bin/su - weblogic
But none seem to actually work
Answering my own question - really complicated testing because sss_cache has no
way of clearing cached sudo rules in the version I am using, I found that
keeping a root shell on the test system and...
rm /var/lib/sss/db/cache*.ldb
And
Restarting sssd
Allowed me to actually change rules for testing purposes.
/bin/su - weblogic
Was the rule that actually worked
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project