CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

FreeIPA - Allow ipa user su to root

https://forums.centos.org/viewtopic.php?f=47&t=67717

Page 1 of 1

FreeIPA - Allow ipa user su to root

Posted: 2018/07/18 04:58:30
by rocklee44
Hi all,
I'm FreeIPA newbie, I have some fool questions, I tried google but I can find what I want so I hope you can help me.
My environment :
IPA server : ipa001.mydomain.com , CentOS Linux release 7.4.1708 (Core)
IPA client : a CentOS Linux release 7.4.1708 (Core) server : server01.mydomain.com
I'm trying to create sudo rule that allows ipa user jack.chuong can switch to root on IPA client server01.mydomain.com (jack.chuong can ssh to server01.mydomain.com already) by entering jack.chuong's password.

Code: Select all

login as: jack.chuong
Using keyboard-interactive authentication.
Password:
Last login: Wed Jul 18 11:36:53 2018 from 192.168.6.191
[jack.chuong@server01.mydomain.com ~]$ sudo su
[sudo] password for jack.chuong:
Sorry, try again.
[sudo] password for jack.chuong:
This is my sudo rule

Code: Select all

ipa sudorule-show --all
Rule name: sudo su
  dn: ipaUniqueID=6e1ae25a-8a3e-11e8-bd6d-000c2966ff86,cn=sudorules,cn=sudo,dc=mydomain,dc=com
  Rule name: sudo su
  Enabled: TRUE
  Users: jack.chuong
  Hosts: server01.mydomain.com
  Sudo Allow Commands: /usr/bin/su
  ipauniqueid: 6e1ae25a-8a3e-11e8-bd6d-000c2966ff86
  objectclass: ipaassociation, ipasudorule
Please give me some advice what should I edit to make it works ? Thank you very much.

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/23 06:47:19
by rocklee44
Has anyone did it before ?

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/23 12:36:11
by lightman47
I know nothing about ipa (don't use it to my knowledge), but can't he just ssh in as himself, then "su -"?

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/24 02:30:04
by rocklee44
He can ssh in as himself but he cannot "sudo su -"

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/24 11:24:44
by lightman47
Again, can he "su -"? I don't even know what the purpose of 'sudo su' is although I've seen it mentioned here twice before. If he can do su, then he becomes root. If you want him somewhat restricted, then 'sudo'. What does the combination do?

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/24 11:29:10
by TrevorH
They are different. If you run su - then it prompts for the root password and if you get it right, it opens a sessions as root. If you run sudo su - then it asks for the user's password to run sudo then, if you get it right and you're allowed to run su - in sudoers, it runs su - as root and since you're already root (via sudo) it doesn't ask for the root password.

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/24 11:35:44
by lightman47
Ah, thank you. Essentially, you're then 'bypassing' the password for root. Nice to finally know.

Re: FreeIPA - Allow ipa user su to root

Posted: 2018/07/25 05:02:33
by rocklee44
So , if "jack.chuong" is a local user in server and visudo "jack.chuong ALL=(ALL) ALL" , he can "sudo su -" --> enter his password and switch to root.
How can I do it with freeipa user and sudo rule ?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited