[Freeipa-users] local root can su to any IPA user
Simo Sorce
simo at redhat.com
Fri Feb 28 18:46:31 UTC 2014
On Fri, 2014-02-28 at 17:27 +0000, Nordgren, Bryce L -FS wrote:
> Am I overlooking something, or is this likely to be an effective means
> of delegating small project support while sideboarding potential Evil?
Well, there area always caveats, mostly that you will find exceptions
you have to permit for whatever reason, so you generally need a workable
exception mechanism when that happens, auditing can be a suitable
mitigation factor in those cases.
That said I think JR also gave excellent points.
Esp wrt 2FA which, incidentally, we are almost done implementing in
FreeIPA. With 2FA you substantially reduce the threat of stolen
passwords, when you have to allow password login on less trusted
machines, at least for human accounts.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list