[Freeipa-users] stopping su -

Discussion:

Steven Jones

2012-07-16 21:32:36 UTC

I have craeted a sshd rule only for the HBAC, but I find a std user can su - to root, is this correect behavior?

How do I? or can I? stop this unless explicitly allowed?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

Erinn Looney-Triggs

2012-07-16 21:38:25 UTC

Permalink

On 07/16/2012 01:32 PM, Steven Jones wrote:
> I have craeted a sshd rule only for the HBAC, but I find a std user can
> su - to root, is this correect behavior?
>
> How do I? or can I? stop this unless explicitly allowed?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

You need to control this via PAM. So for me I restrict su to only be
allowed for members of the wheel group, from /etc/pam.d/su:

auth required pam_wheel.so use_uid

There are comments in the file that will get you where you want to go.

-Erinn

Steven Jones

2012-07-16 21:47:48 UTC

Permalink

Hi,

OK, so to confirm this cant be done in a centralised way via IPA?

In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
Sent: Tuesday, 17 July 2012 9:38 a.m.
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/16/2012 01:32 PM, Steven Jones wrote:
> I have craeted a sshd rule only for the HBAC, but I find a std user can
> su - to root, is this correect behavior?
>
> How do I? or can I? stop this unless explicitly allowed?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

You need to control this via PAM. So for me I restrict su to only be
allowed for members of the wheel group, from /etc/pam.d/su:

auth required pam_wheel.so use_uid

There are comments in the file that will get you where you want to go.

-Erinn

Erinn Looney-Triggs

2012-07-17 04:31:46 UTC

Permalink

On 07/16/2012 01:47 PM, Steven Jones wrote:
> Hi,
>
> OK, so to confirm this cant be done in a centralised way via IPA?
>
> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
> Sent: Tuesday, 17 July 2012 9:38 a.m.
> To: freeipa-***@redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:32 PM, Steven Jones wrote:
>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>> su - to root, is this correect behavior?
>>
>> How do I? or can I? stop this unless explicitly allowed?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> You need to control this via PAM. So for me I restrict su to only be
> allowed for members of the wheel group, from /etc/pam.d/su:
>
> auth required pam_wheel.so use_uid
>
> There are comments in the file that will get you where you want to go.
>
> -Erinn
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

I can't speak to whether it can or cannot be done centrally in any sort
of authoritative way, might be possible there are hbac setting for su
and I can't really answer your question about suing to oracle.

-Erinn

Steven Jones

2012-07-17 04:40:10 UTC

Permalink

Hi,

I could do,

auth required pam_wheel.so root_only use_uid

But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.

I assume simo's hint is,

sudo -i su - oracle

I will have to experiment.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
Sent: Tuesday, 17 July 2012 4:31 p.m.
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/16/2012 01:47 PM, Steven Jones wrote:
> Hi,
>
> OK, so to confirm this cant be done in a centralised way via IPA?
>
> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
> Sent: Tuesday, 17 July 2012 9:38 a.m.
> To: freeipa-***@redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:32 PM, Steven Jones wrote:
>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>> su - to root, is this correect behavior?
>>
>> How do I? or can I? stop this unless explicitly allowed?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> You need to control this via PAM. So for me I restrict su to only be
> allowed for members of the wheel group, from /etc/pam.d/su:
>
> auth required pam_wheel.so use_uid
>
> There are comments in the file that will get you where you want to go.
>
> -Erinn
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

I can't speak to whether it can or cannot be done centrally in any sort
of authoritative way, might be possible there are hbac setting for su
and I can't really answer your question about suing to oracle.

-Erinn

William Brown

2012-07-17 04:54:05 UTC

Permalink

> auth required pam_wheel.so root_only use_uid
>
> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>

Also, you can create and manage these files with spacewalk / satellite.
Though in the future arguably it would be useful for IPA to have some
level of satellite integration for this exact scenario.

--
Sincerely,

William Brown

pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2

Dmitri Pal

2012-07-17 11:07:55 UTC

Permalink

On 07/17/2012 12:40 AM, Steven Jones wrote:
> Hi,
>
> I could do,
>
> auth required pam_wheel.so root_only use_uid
>
> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>
> I assume simo's hint is,
>
> sudo -i su - oracle

AFAIU if you are looking for centrally manged setting you need to use sudo.
With su and HBAC IPA can just control which user can authenticate using
"su" but not for local users like root.

I think that if the oracle user is centrally managed you would be able
to define an HBAC rule that would prevent oracle user from doing su on a
group of hosts, but I doubt that this is what you want.
Seems like sudo will give you much more flexibility.

> I will have to experiment.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
> Sent: Tuesday, 17 July 2012 4:31 p.m.
> To: freeipa-***@redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:47 PM, Steven Jones wrote:
>> Hi,
>>
>> OK, so to confirm this cant be done in a centralised way via IPA?
>>
>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
>> Sent: Tuesday, 17 July 2012 9:38 a.m.
>> To: freeipa-***@redhat.com
>> Subject: Re: [Freeipa-users] stopping su -
>>
>> On 07/16/2012 01:32 PM, Steven Jones wrote:
>>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>>> su - to root, is this correect behavior?
>>>
>>> How do I? or can I? stop this unless explicitly allowed?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-***@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>> You need to control this via PAM. So for me I restrict su to only be
>> allowed for members of the wheel group, from /etc/pam.d/su:
>>
>> auth required pam_wheel.so use_uid
>>
>> There are comments in the file that will get you where you want to go.
>>
>> -Erinn
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> I can't speak to whether it can or cannot be done centrally in any sort
> of authoritative way, might be possible there are hbac setting for su
> and I can't really answer your question about suing to oracle.
>
> -Erinn
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

Steven Jones

2012-07-17 22:04:01 UTC

Permalink

but presumably I can control sudo with IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Dmitri Pal [***@redhat.com]
Sent: Tuesday, 17 July 2012 11:07 p.m.
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] stopping su -

On 07/17/2012 12:40 AM, Steven Jones wrote:
> Hi,
>
> I could do,
>
> auth required pam_wheel.so root_only use_uid
>
> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>
> I assume simo's hint is,
>
> sudo -i su - oracle

AFAIU if you are looking for centrally manged setting you need to use sudo.
With su and HBAC IPA can just control which user can authenticate using
"su" but not for local users like root.

I think that if the oracle user is centrally managed you would be able
to define an HBAC rule that would prevent oracle user from doing su on a
group of hosts, but I doubt that this is what you want.
Seems like sudo will give you much more flexibility.

> I will have to experiment.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
> Sent: Tuesday, 17 July 2012 4:31 p.m.
> To: freeipa-***@redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/16/2012 01:47 PM, Steven Jones wrote:
>> Hi,
>>
>> OK, so to confirm this cant be done in a centralised way via IPA?
>>
>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
>> Sent: Tuesday, 17 July 2012 9:38 a.m.
>> To: freeipa-***@redhat.com
>> Subject: Re: [Freeipa-users] stopping su -
>>
>> On 07/16/2012 01:32 PM, Steven Jones wrote:
>>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>>> su - to root, is this correect behavior?
>>>
>>> How do I? or can I? stop this unless explicitly allowed?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-***@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>> You need to control this via PAM. So for me I restrict su to only be
>> allowed for members of the wheel group, from /etc/pam.d/su:
>>
>> auth required pam_wheel.so use_uid
>>
>> There are comments in the file that will get you where you want to go.
>>
>> -Erinn
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> I can't speak to whether it can or cannot be done centrally in any sort
> of authoritative way, might be possible there are hbac setting for su
> and I can't really answer your question about suing to oracle.
>
> -Erinn
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

Dmitri Pal

2012-07-18 17:53:41 UTC

Permalink

On 07/17/2012 06:04 PM, Steven Jones wrote:
> but presumably I can control sudo with IPA?

Yes you do.

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Dmitri Pal [***@redhat.com]
> Sent: Tuesday, 17 July 2012 11:07 p.m.
> To: freeipa-***@redhat.com
> Subject: Re: [Freeipa-users] stopping su -
>
> On 07/17/2012 12:40 AM, Steven Jones wrote:
>> Hi,
>>
>> I could do,
>>
>> auth required pam_wheel.so root_only use_uid
>>
>> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally.
>>
>> I assume simo's hint is,
>>
>> sudo -i su - oracle
> AFAIU if you are looking for centrally manged setting you need to use sudo.
> With su and HBAC IPA can just control which user can authenticate using
> "su" but not for local users like root.
>
> I think that if the oracle user is centrally managed you would be able
> to define an HBAC rule that would prevent oracle user from doing su on a
> group of hosts, but I doubt that this is what you want.
> Seems like sudo will give you much more flexibility.
>
>> I will have to experiment.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
>> Sent: Tuesday, 17 July 2012 4:31 p.m.
>> To: freeipa-***@redhat.com
>> Subject: Re: [Freeipa-users] stopping su -
>>
>> On 07/16/2012 01:47 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> OK, so to confirm this cant be done in a centralised way via IPA?
>>>
>>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Erinn Looney-Triggs [***@gmail.com]
>>> Sent: Tuesday, 17 July 2012 9:38 a.m.
>>> To: freeipa-***@redhat.com
>>> Subject: Re: [Freeipa-users] stopping su -
>>>
>>> On 07/16/2012 01:32 PM, Steven Jones wrote:
>>>> I have craeted a sshd rule only for the HBAC, but I find a std user can
>>>> su - to root, is this correect behavior?
>>>>
>>>> How do I? or can I? stop this unless explicitly allowed?
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-***@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>> You need to control this via PAM. So for me I restrict su to only be
>>> allowed for members of the wheel group, from /etc/pam.d/su:
>>>
>>> auth required pam_wheel.so use_uid
>>>
>>> There are comments in the file that will get you where you want to go.
>>>
>>> -Erinn
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-***@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>> I can't speak to whether it can or cannot be done centrally in any sort
>> of authoritative way, might be possible there are hbac setting for su
>> and I can't really answer your question about suing to oracle.
>>
>> -Erinn
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

Paul Robert Marino

2012-07-17 06:51:43 UTC

Permalink

I understand where you are going with this
Don't think about su - oracle directly
A sudo -u oracle -H isn't quite what you are looking for either because you
want the environment vaiables to auto load and oracle dbas can be ( not all
but many) very lazy about loading them manually.
The best option is sudo su - oracle.
You can lock that down in the sudoers config and you can lock the su
permissions to the wheel group via the local configuration files in
/etc/security or via the pam module. either way you need to add in
configuration file managment, which is not what freeipa is for.
On Jul 17, 2012 12:34 AM, "Erinn Looney-Triggs" <
***@gmail.com> wrote:

> On 07/16/2012 01:47 PM, Steven Jones wrote:
> > Hi,
> >
> > OK, so to confirm this cant be done in a centralised way via IPA?
> >
> > In which case when setting a HBAC with sshd only why cant i su - oracle
> but I can su - root?
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > ________________________________________
> > From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com]
> on behalf of Erinn Looney-Triggs [***@gmail.com]
> > Sent: Tuesday, 17 July 2012 9:38 a.m.
> > To: freeipa-***@redhat.com
> > Subject: Re: [Freeipa-users] stopping su -
> >
> > On 07/16/2012 01:32 PM, Steven Jones wrote:
> >> I have craeted a sshd rule only for the HBAC, but I find a std user can
> >> su - to root, is this correect behavior?
> >>
> >> How do I? or can I? stop this unless explicitly allowed?
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-***@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> >
> > You need to control this via PAM. So for me I restrict su to only be
> > allowed for members of the wheel group, from /etc/pam.d/su:
> >
> > auth required pam_wheel.so use_uid
> >
> > There are comments in the file that will get you where you want to go.
> >
> > -Erinn
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-***@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
> I can't speak to whether it can or cannot be done centrally in any sort
> of authoritative way, might be possible there are hbac setting for su
> and I can't really answer your question about suing to oracle.
>
> -Erinn
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

Steven Jones

2012-07-17 22:03:06 UTC

Permalink

Hi

Actually this for me anyway is exactly what IPA should be for....its security, its centrally managed and it saves workload.

Doing this across 200+ servers needs to be centralised or IPA becomes pointless, very limited ie one point password, add and remove users (oh big deal I can use salt to do that in effect). As I'd have to do IPA stuff and then local....its saves me little if anything in work / automation.

Now if it doesn't do this well OK, but half my problem is determining what IPA can and cant do, the devil is in the detail as they say.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

8><------

You can lock that down in the sudoers config and you can lock the su permissions to the wheel group via the local configuration files in /etc/security or via the pam module. either way you need to add in configuration file managment, which is not what freeipa is for.

8><----

Continue reading on narkive:

Search results for '[Freeipa-users] stopping su -' (Questions and Answers)

replies

My friend came to our office and tried to recruit for her church. Did I do the right thing in stopping her?

started 2010-09-25 16:30:21 UTC

religion & spirituality

replies

I quit drinking wine 3 days ago and am exhausted and can't do Su Doku?! Serious question!?

started 2007-07-07 13:53:14 UTC

general health care

replies

Can i start Breastfeeding again after stopping?