[Freeipa-users] k5login loophole even account is disabled on FreeIPA
Sumit Bose
sbose at redhat.com
Fri May 12 06:49:26 UTC 2017
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote:
> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> > On pe, 12 touko 2017, Thomas Lau wrote:
> > > Folks,
> > >
> > > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > > on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come
> > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
> > > account is disabled. Did I miss any setting or it's normal?
> > This is normal.
> >
> > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:
> >
> > auth sufficient pam_rootok.so
> >
> > E.g. if su is executed as root, it is enough, no other authentication
> > checks are done.
>
> And no authorization checks either becasue there is
>
> account sufficient pam_succeed_if.so uid = 0 use_uid quiet
and btw, this is completely unrelated to .k5login, even if you remove
thomas at DOMAIN.COM from the file it would still work.
bye,
Sumit
>
> >
> > --
> > / Alexander Bokovoy
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list