[Freeipa-users] Root overrides HBAC rules for the command su

Sumit Bose sbose at redhat.com
Tue Feb 24 09:53:00 UTC 2015 

On Tue, Feb 24, 2015 at 09:15:11AM +0000, Bloemen, Jurriën wrote:
> Hi,
> 
> In FreeIPA you can create users and restrict on which hosts the user can login to. This is all great and works fine.
> 
> If a user1 is logged in to a system. Knows the password of user2 and issues the command "su" to be that user2 on that same system. This is not allowed because the user2 does not have HBAC rules for that system. This is as expected.
> 
> But if the user root tries the "su" command to be user2 is works despite the fact that user2 has no HBAC rule for that system.
> 
> Why does this works? Is there a way to prevent this? Or is this something in "su" that it works like the way it does?

It is the PAM configuration of su, e.g. on F21 it looks like this:

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
# group.
#auth		required	pam_wheel.so use_uid
auth		substack	system-auth
auth		include		postlogin
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		include		postlogin
session		optional	pam_xauth.so

If you are root authentication is skipped with pam_rootok.so and access
control by 'pam_succeed_if.so uid = 0 use_uid quiet'. You can change
this if you want but is is not very useful because there are various
other way for root to become user2 without calling su. root can do
everything on the local system.

HTH

bye,
Sumit

> 
> Best regards,
> 
> Jurriën
> 
> This message (including any attachments) may contain information that is privileged or confidential. If you are not the intended recipient, please notify the sender and delete this email immediately from your systems and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy this email or any part of it if you are not the intended recipient

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list