Discussion:
[Freeipa-users] Creating another sudo rules full
Dewangga Bachrul Alam
2017-04-28 02:05:27 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Is it possible to create another sudo rules that same with
sudo_rule_full or admin privileges, it means that the user can run
`sudo su -` without password.

I've create the similar rules, but no luck.

[***@idm ~]# ipa sudorule-show sudo_rules_rekanalar
Rule name: sudo_rules_rekanalar
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: rekanalar
Host Groups: rekanalarservers
Sudo Option: !authenticate

## Client
[***@server02-v2 ~]$ sudo -l
[sudo] password for user:

But, if I change/add the user to group admins, it's success can invoke
`sudo su -` command without password.

Any helps is appreciated.
Many thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJZAqNgGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcK5+D/9G06PweGNcJrXuMANcVHysu9Wp97HfExFsGKpoDYU8t2Mip49R
OUD/mLUoPGzNpMVJwOF8V1SMJXjyKUwlnBbGTnOxTvHEzkXyQ0HMsBFVzJJ38LX8
TJItYn8DM45hlnKkVKYM3hTiGSUpNGAM4OLYFQK/AWwx+u/2w1pTjmZQCKCHndvP
/71u3octwTPPZPj2bbxlm8lhZovqPhB3JHpTGSckhvnS77t3W0L4KzaSF4omycni
GbAY8DGTIxXPp33EOJV3JKOpYRrwv5URdgtpNbfWN0l6O8VyJx8A/lamjoQ284gz
p8FJbZni1AoQ3/v2ZIbVcS7UJwqRVnhGFIwmmnlMEWz59NcrIxcxiAbsMepcTmOi
Sq010zOHz3TmRURW2CIPBHGscax0DErIviWFIO+lMy2W/7LSaPoTge4ilDyl7UBu
3uPrEOU5Kh3Z7ar0VP5Pd4FH5OJp3WBXY8tMxPG7h5KniRTuv9/WszP4+L7EFDWR
WdbZYkh1IYJUfsCvlLhYXDULjgacRPXmdQSXQkGD7b1WfmL0Wyy+TnSHKlr4X9LP
dqwKYgjVC6FokoTfRoMi/D27lwkV4PKsNA6nufze9kDxgYC/7VrAEeIFCEedWUfv
oGIBr94eMQYt8QI2GSikiUqJu0QccqtL+8ymE1lhByr9WmuxN6Ni1IhZ3w==
=MUPU
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jason B. Nance
2017-04-28 12:26:23 UTC
Permalink
Hi Dewangga,
Post by Dewangga Bachrul Alam
Rule name: sudo_rules_rekanalar
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: rekanalar
Host Groups: rekanalarservers
Sudo Option: !authenticate
## Client
The rule in your example above only matches users in the group "rekanalar" on servers in the host group "rekanalarservers". Is the user "user" in your example in that group and is the host "server02-v2" in your example in that host group?

Regards,

j
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dewangga Bachrul Alam
2017-04-28 14:01:04 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!
Post by Jason B. Nance
Hi Dewangga,
sudo_rules_rekanalar Enabled: TRUE Command category: all RunAs
!authenticate
The rule in your example above only matches users in the group
"rekanalar" on servers in the host group "rekanalarservers". Is
the user "user" in your example in that group and is the host
"server02-v2" in your example in that host group?
Yes, usergroup `rekanalar` contain `user`, and `server02-v2` is member
of `rekanalarservers` host group. But, if I assign `user` to usergroup
`admins`, they can do sudo as root.

The goal is, member of usergroup `rekanalar` can do all sudo command
in hostgroup `rekanalarservers` only.

[***@idm ~]# ipa user-show xxx
User login: xxx
First name: xxx
Last name: [removed]
Home directory: /home/xxx
Login shell: /bin/bash
Principal name: ***@REALM
Principal alias: ***@REALM
Email address: [REMOVED]
UID: 1107600016
GID: 1107600016
Job Title: Rekanalar Director
SSH public key fingerprint:
51:23:68:4B:BC:17:56:11:50:E1:72:B5:0C:00:B7:B6
xxx (ssh-rsa)
Account disabled: False
Password: False
Member of groups: rekanalar
Indirect Member of Sudo rule: sudo_rules_rekanalar
Kerberos keys available: False

[***@idm ~]# ipa group-show rekanalar
Group name: rekanalar
GID: 1107600017
Member users: xxx
Member of Sudo rule: sudo_rules_rekanalar

Am I miss something?
Post by Jason B. Nance
Regards,
j
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJZA0sdGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcND0D/4gJ+MFRuaNX9vfuhZwtXnWGCTfhTZiwWBhp6yniAE1PvCvJ0cT
03kGLzNHTp/EPyysXK/oT8yei09B475UFERxfG2rCdY0AN9aCpOHjxQKgWWFw7LJ
3ntLQNoVEFBqpHoa7fbsBpXiKuonqnt0wV1qCNJKUF8z/62TgdsFUmrO7qjMvUbd
FIBCQu2sCZ4Hx4duS8JpHgl9SJSGZkDRJN7XUpnd6bC2+zgUDfkAf74czwbjHQpb
yitDmWslG+V3KpZDcbuMFLhNtwOVVavhhEqacqMoMkuEpSHtHk8oF0CvD/YhuiKv
WUpzyDzLCx1u7xkRBTSRVRouzOi1WvEZ3JVnWSkFFExOW8SNWjpJhXF5ij4kBRF3
CRuKGys65SJA1HSUtH5eIPvXAYGxP+bJsoy72vyFZcy04+Jql9NRIHIMWZaZLe5Z
+qdbhxpBxuCSua1ddMBnGUP/UAmGER0SsxbXq5k6ZjHo9PHwrOlxHZlPyHylbfLr
Go1t2phtam410Rv8oMBB+6vO17QWduGZtBpXxSUXP+hvosE72FkLYnn5IOBIrKvC
Z0GK1jLFDtMU79JECkjm/wfKywgq9XjcyodG6aMaD2iaVqSWhqfphBHm0nbSnEXz
IpDT/WfK0uZkJUaIWYZ3dI7Iv9QCfwwVoWKaKjLkM9ReATti6ks/LYDz8Q==
=TP6o
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive:
Loading...