[Freeipa-users] local root can su to any IPA user
Martin Kosek
mkosek at redhat.com
Fri Nov 29 14:41:16 UTC 2013
On 11/29/2013 03:17 PM, Jakub Hrozek wrote:
> On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote:
>> Jakub,
>>
>> Yes, I could do this. But then the local root account cannot su to local
>> users (without password). But that is actually a normal use-case. I just
>> think local root should not be allowed to transition to a domain user, by
>> default.
>>
>> Fred
>
> Ah, in that case I'm not sure if there's an easy solution, at least I
> don't know any off hand. I think Alexander is right that SELinux would
> be a good choice.
Right. Root could uncomment the pam_rootok.so line anyway if he wanted to
access other user's account again.
Martin
More information about the Freeipa-users
mailing list