[Freeipa-users] local root can su to any IPA user
Alexander Bokovoy
abokovoy at redhat.com
Fri Nov 29 13:11:01 UTC 2013
On Fri, 29 Nov 2013, Fred van Zwieten wrote:
>Hi,
>
>When being root on an ipa-client, I can su to any IPA user. This is
>somewhat unexptected behaviour in comparison to Windows. If I am local
>administrator in a windows AD member server, I cannot become a domain user.
>I need to be domain administrator for that.
>
>Is it possible to have this "feature" disabled somehow?
root user on Linux systems by default has CAP_SETUID capability which
allows to change process uid to a different user. If the capability is
there, the only way to reduce transition from a specific user to another
one is by confining it via appropriate security module, for example,
through properly defined SELinux policy that prevents a root to
transition to the context of an IPA user. Someone needs to write this
policy and deploy at IPA clients first.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list