[Freeipa-users] k5login loophole even account is disabled on FreeIPA
Alexander Bokovoy
abokovoy at redhat.com
Fri May 12 06:35:40 UTC 2017
On pe, 12 touko 2017, Thomas Lau wrote:
>Folks,
>
>let's say I am user thomas, and user "temp1" already marked as "disabled"
>on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come
>I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
>account is disabled. Did I miss any setting or it's normal?
This is normal.
sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:
auth sufficient pam_rootok.so
E.g. if su is executed as root, it is enough, no other authentication
checks are done.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list