FreeIPA - Allow ipa user su to root

General support questions
Post Reply
rocklee44
Posts: 7
Joined: 2018/07/09 09:15:14

FreeIPA - Allow ipa user su to root

Post by rocklee44 » 2018/07/18 04:58:30

Hi all,
I'm FreeIPA newbie, I have some fool questions, I tried google but I can find what I want so I hope you can help me.
My environment :
IPA server : ipa001.mydomain.com , CentOS Linux release 7.4.1708 (Core)
IPA client : a CentOS Linux release 7.4.1708 (Core) server : server01.mydomain.com
I'm trying to create sudo rule that allows ipa user jack.chuong can switch to root on IPA client server01.mydomain.com (jack.chuong can ssh to server01.mydomain.com already) by entering jack.chuong's password.

Code: Select all

login as: jack.chuong
Using keyboard-interactive authentication.
Password:
Last login: Wed Jul 18 11:36:53 2018 from 192.168.6.191
[jack.chuong@server01.mydomain.com ~]$ sudo su
[sudo] password for jack.chuong:
Sorry, try again.
[sudo] password for jack.chuong:
This is my sudo rule

Code: Select all

ipa sudorule-show --all
Rule name: sudo su
  dn: ipaUniqueID=6e1ae25a-8a3e-11e8-bd6d-000c2966ff86,cn=sudorules,cn=sudo,dc=mydomain,dc=com
  Rule name: sudo su
  Enabled: TRUE
  Users: jack.chuong
  Hosts: server01.mydomain.com
  Sudo Allow Commands: /usr/bin/su
  ipauniqueid: 6e1ae25a-8a3e-11e8-bd6d-000c2966ff86
  objectclass: ipaassociation, ipasudorule
Please give me some advice what should I edit to make it works ? Thank you very much.

rocklee44
Posts: 7
Joined: 2018/07/09 09:15:14

Re: FreeIPA - Allow ipa user su to root

Post by rocklee44 » 2018/07/23 06:47:19

Has anyone did it before ?

lightman47
Posts: 681
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: FreeIPA - Allow ipa user su to root

Post by lightman47 » 2018/07/23 12:36:11

I know nothing about ipa (don't use it to my knowledge), but can't he just ssh in as himself, then "su -"?
"Please solve your problems in advance so we can help you more"
- unknown

rocklee44
Posts: 7
Joined: 2018/07/09 09:15:14

Re: FreeIPA - Allow ipa user su to root

Post by rocklee44 » 2018/07/24 02:30:04

He can ssh in as himself but he cannot "sudo su -"

lightman47
Posts: 681
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: FreeIPA - Allow ipa user su to root

Post by lightman47 » 2018/07/24 11:24:44

Again, can he "su -"? I don't even know what the purpose of 'sudo su' is although I've seen it mentioned here twice before. If he can do su, then he becomes root. If you want him somewhat restricted, then 'sudo'. What does the combination do?
"Please solve your problems in advance so we can help you more"
- unknown

User avatar
TrevorH
Forum Moderator
Posts: 23196
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FreeIPA - Allow ipa user su to root

Post by TrevorH » 2018/07/24 11:29:10

They are different. If you run su - then it prompts for the root password and if you get it right, it opens a sessions as root. If you run sudo su - then it asks for the user's password to run sudo then, if you get it right and you're allowed to run su - in sudoers, it runs su - as root and since you're already root (via sudo) it doesn't ask for the root password.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

lightman47
Posts: 681
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: FreeIPA - Allow ipa user su to root

Post by lightman47 » 2018/07/24 11:35:44

Ah, thank you. Essentially, you're then 'bypassing' the password for root. Nice to finally know.
"Please solve your problems in advance so we can help you more"
- unknown

rocklee44
Posts: 7
Joined: 2018/07/09 09:15:14

Re: FreeIPA - Allow ipa user su to root

Post by rocklee44 » 2018/07/25 05:02:33

So , if "jack.chuong" is a local user in server and visudo "jack.chuong ALL=(ALL) ALL" , he can "sudo su -" --> enter his password and switch to root.
How can I do it with freeipa user and sudo rule ?

Post Reply