[Freeipa-users] local root can su to any IPA user

Steve Dainard sdainard at miovision.com
Wed Feb 26 21:24:54 UTC 2014 

Would it not be possible for root to disable selinux enforcement? A user
could maybe even use a livecd if root couldn't be gained directly.

I'm looking at joining workstations to an idm realm, but some users will
need sudo permissions on their machines.

Is there any documentation on best practices here? Has there been any
further discussion on the best way to approach this problem?

Thanks,

*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Fri, Nov 29, 2013 at 9:41 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On 11/29/2013 03:17 PM, Jakub Hrozek wrote:
> > On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote:
> >> Jakub,
> >>
> >> Yes, I could do this. But then the local root account cannot su to local
> >> users (without password). But that is actually a normal use-case. I just
> >> think local root should not be allowed to transition to a domain user,
> by
> >> default.
> >>
> >> Fred
> >
> > Ah, in that case I'm not sure if there's an easy solution, at least I
> > don't know any off hand. I think Alexander is right that SELinux would
> > be a good choice.
>
> Right. Root could uncomment the pam_rootok.so line anyway if he wanted to
> access other user's account again.
>
> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140226/478a9e79/attachment.htm>

More information about the Freeipa-users mailing list