[Freeipa-users] local root can su to any IPA user

[Fred van Zwieten]

Jakub,

Yes, I could do this. But then the local root account cannot su to local
users (without password). But that is actually a normal use-case. I just
think local root should not be allowed to transition to a domain user, by
default.

Fred

On Fri, Nov 29, 2013 at 2:48 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote:
> > On Fri, 29 Nov 2013, Fred van Zwieten wrote:
> > >Hi,
> > >
> > >When being root on an ipa-client, I can su to any IPA user. This is
> > >somewhat unexptected behaviour in comparison to Windows. If I am local
> > >administrator in a windows AD member server, I cannot become a domain
> user.
> > >I need to be domain administrator for that.
> > >
> > >Is it possible to have this "feature" disabled somehow?
> > root user on Linux systems by default has CAP_SETUID capability which
> > allows to change process uid to a different user. If the capability is
> > there, the only way to reduce transition from a specific user to another
> > one is by confining it via appropriate security module, for example,
> > through properly defined SELinux policy that prevents a root to
> > transition to the context of an IPA user. Someone needs to write this
> > policy and deploy at IPA clients first.
>
> I think Fred is actually referring to the pam_rootok.so module that
> always returns PAM_SUCCESS if the caller has UID 0.
>
> Fred, if you comment out the line with "pam_rootok.so" in the file
> /etc/pam.d/su can you still log in as any user from root?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131129/af45e5ce/attachment.htm>