Thank you for the advice.

On 26 April 2018 at 19:01, Jakub Hrozek <jhrozek@redhat.com> wrote:


> On 26 Apr 2018, at 18:29, Morgan Cox via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> Hi.
>
> I have a test freeipa server setup.
>
> It is generally working fine, however I have found one major issue.
>
> Even though a user only has 1 service enabled 'sshd' that user can su / su- to root.
>
> I can confirm I have deleted the allow_all HBAC rule, and can confirm generally rules are working.
>
> i.e if I remove sshd from allowed services the user cannot login.
>
> Using ipa hbactest - sshd is granted, su is not
>
> Also I have tested the user cannot su / su - [non-root-user]
>
> ------------------
> [mcox@ipaclient2 ~]$ su - mcox2
> Password:
> su: Permission denied
> ------------------
>
> but they can su - (to root).
>
> When I su I see in /var/log/secure
>
> ----------------
> Apr 26 17:26:28 ipaclient2 su: pam_unix(su:session): session opened for user root by mcox2(uid=1374400008)
> ----------------
>
> Looking at the logs in /var/log/sssd when I su only the sssd_nss.log seems to grow
>
> debug_log = 9 is enabled
>
> --------------------------
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[0] egid[1374400008] pid[1759].
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55937ee13a10][21]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #52: Setting "Initgroups by name" plugin
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #52: New request 'Initgroups by name'
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #52: Parsing input name [root]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #52: Setting name [root]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #52: Performing a multi-domain search
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #52: Search will check the cache and check the data provider
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain cpgbpc.local type POSIX is valid
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #52: Using domain [cpgbpc.local]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #52: Preparing input data for domain [cpgbpc.local] rules
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #52: Looking up root@cpgbpc.local
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #52: Checking negative cache for [root@cpgbpc.local]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/cpgbpc.local/root@cpgbpc.local]
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #52: [root@cpgbpc.local] does not exist (negative cache)
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #52: Finished: Not found
> (Thu Apr 26 17:27:52 2018) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found
> (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): Terminating idle client [0x55937ee0faf0][22]
> (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55937ee0faf0][22]
> (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_idle_handler] (0x2000): Terminating idle client [0x55937ee12d80][23]
> (Thu Apr 26 17:27:54 2018) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55937ee12d80][23]
>
> --------------------------
>
> Can anyone help me prevent a user being able to su / su - to root ?

You can’t do this with IPA HBAC because root is not a user managed by IPA. The HBAC policies only control who you log in as, not the user you’re logging from.

I think if you want to prevent certain users from becoming root, you can use pam_wheel.so with the only_root parameter.

>
> If it helps my /etc/pam.d/system-auth  config is here : https://pastebin.com/J3THY44c
>
> Regards
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org