On 1/17/20 1:24 PM, Jakub Hrozek wrote:
On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote:
On 1/17/20 8:40 AM, Jannis Mann wrote:
Hi, I've implemented sssd with id, auth and access provider as ldap. So I am using a binding account and didn't joined the domain with the server.
In general everything works. Only members of mentioned SG within the sssd.conf can login to the server, just as I wish to.
However, as sudo user I can run something as following
sudo su - UserThatIsNotAllowed
So I (a sudo user) can switch to any user that is within the search base I've specified in the sssd.conf But these users are not allowed to use the server.
I understand that not the user himself is logging in but I actually don't want sudo users to be able to switch to users that aren't allowed on the server.
I'd like that it is only allowed to switch to users that are allowed on the server on local accounts of course.
Is this a normal behaviour? Can it be changed?
Thank you! Jannis
So you want to be able to run 'sudo su - AllowedUser' but not all users are allowed, right?
Sudo rules can match also command parameters so in theory you could create rule to allow commands "/bin/su - User1", "/bin/su - User2" ... but if you have many users, it would be tedious.
If the purpose is to allow specific users to be able to call all commands as allowed user, it would be better to use runAsUser ability of sudo (to run command as specific user instead of root) and just setup a rule like:
sudoUser: my-user sudoHost: ALL sudoCommand: ALL sudoRunAsUser: allowed-user
Couldn't you also put sudo into the acct pam substack? IIRC RHEL started doing that some time ago..
I'm not sure what do you mean.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...