Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 588412 - Need list of services for hbac
Summary: Need list of services for hbac
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: Documentation
Version: 2.0
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Sumit Bose
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-03 17:07 UTC by Rob Crittenden
Modified: 2015-01-04 23:42 UTC (History)
5 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 11:21:34 UTC


Attachments (Terms of Use)

Description Rob Crittenden 2010-05-03 17:07:35 UTC
Description of problem:

HBAC can be configured to allow/deny specific services. A list of those services is needed.

Comment 1 Rob Crittenden 2010-05-03 17:08:41 UTC
Sumit, can you provide the list of services for HBAC, or the mechanism that sssd uses to determine the requested service?

Comment 2 Sumit Bose 2010-05-03 20:00:39 UTC
The service is compared to the string that is returned by
pam_get_item(pam_handle, PAM_SERVICE, &item) which is the same as the service name in the PAM configuration in /etc/pam.d/. So the filenames in /etc/pam.d are the service names. Please note that there are services which can have multiple service name, like e.g. su and su-l.

Comment 3 Rob Crittenden 2010-09-27 18:31:42 UTC
Sumit, here are those that I picked: sssd, ftp, su, login, su-l, sudo and sudo-i.

Is this is enough to start with?

Comment 4 Sumit Bose 2010-09-27 20:27:29 UTC
I think you mean sshd instead of sssd. Maybe adding gdm and/or gdm-password would make sense. The KDE folks would like kdm, too.

Comment 5 Dmitri Pal 2010-09-27 21:58:49 UTC
https://fedorahosted.org/freeipa/ticket/307

Comment 6 Rob Crittenden 2010-11-03 15:51:41 UTC
Ok, adding all three.

Comment 7 Rob Crittenden 2010-11-08 21:09:01 UTC
master: d76ead6ccea2b41d3cb603124860fb3f84d8e1cc


Note You need to log in before you can comment on or make changes to this bug.