Posts

Showing posts from August 19, 2018

FreeIPA client on workstations

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have set up a FreeIPA server, and I am having trouble getting my workstations to log in with the enterprise account. I have been Googling my issues for the last 3 hours or so, but no luck. I have have my IPA server running on Fedora 27 Server, with the DNS set up as well. I have 2 Fedora Workstation machines, one a desktop, the other a laptop. I installed freeipa-client , set my DNS to my ipa-server and ipa-client-install --mkhomedir --force-ntpd ran with no errors. I ran kinit admin and klist shows the expected output. I then went to the the Users GUI in the Gnome Settings, and went through the Enterprise Account set up. When I logged out, I could see the FreeIPA account in GDM, but I get prompted for username after selecting it, and then I cannot log in with the correct password with either username or username@EXAMPLE.COM , and even after creating a homedir manually and setting the permissions so the ent...

What is the “group vector” of a user?

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite From man sudo -P, --preserve-groups Preserve the invoking user's group vector unaltered. By default, the sudoers policy will initialize the group vector to the list of groups the target user is a member of. The real and effective group IDs, however, are still set to match the target user. What is the "group vector" of a user? I couldn't find its definition by Google. Thanks. sudo group share | improve this question edited Apr 27 at 10:40 Jeff Schaller 31.1k 8 46 105 asked Apr 27 at 2:23 Tim 22.6k 63 224 401 add a comment  |  up vote 0 down vote favorite From man sudo -P, --preserve-groups Preserve the invoking user's group vector unaltered. By default, the sudoers policy will initialize the group vector to the list of groups the target user is a member of. The real and effective group IDs, however, are still set to m...

How does sudo achieve changing the privileges of a process?

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite From man sudo When sudo executes a command, the security policy specifies the execution environment for the command. Typically, the real and effective user and group and IDs are set to match those of the target user , as specified in the password database, and the group vector is initialized based on the group database (unless the -P option was specified). Why does sudo change both effective and real user/group IDs to those of the target user, instead of just effective user/group IDs? Are effective user/group IDs not the only ones needed to take on the privileges of the target user? From https://unix.stackexchange.com/a/333245/674 changing the effective user and group ID's of a process is only one way of changing the privileges of a process, the security policy defined in sudo.conf can use any other kind of parameters in the above list. In order to change the privileges, are there other ways than c...