[Freeipa-users] local root can su to any IPA user
Jakub Hrozek
jhrozek at redhat.com
Fri Nov 29 13:48:29 UTC 2013
On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote:
> On Fri, 29 Nov 2013, Fred van Zwieten wrote:
> >Hi,
> >
> >When being root on an ipa-client, I can su to any IPA user. This is
> >somewhat unexptected behaviour in comparison to Windows. If I am local
> >administrator in a windows AD member server, I cannot become a domain user.
> >I need to be domain administrator for that.
> >
> >Is it possible to have this "feature" disabled somehow?
> root user on Linux systems by default has CAP_SETUID capability which
> allows to change process uid to a different user. If the capability is
> there, the only way to reduce transition from a specific user to another
> one is by confining it via appropriate security module, for example,
> through properly defined SELinux policy that prevents a root to
> transition to the context of an IPA user. Someone needs to write this
> policy and deploy at IPA clients first.
I think Fred is actually referring to the pam_rootok.so module that
always returns PAM_SUCCESS if the caller has UID 0.
Fred, if you comment out the line with "pam_rootok.so" in the file
/etc/pam.d/su can you still log in as any user from root?
More information about the Freeipa-users
mailing list