Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default.
Fred On Fri, Nov 29, 2013 at 2:48 PM, Jakub Hrozek <[email protected]> wrote: > On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote: > > On Fri, 29 Nov 2013, Fred van Zwieten wrote: > > >Hi, > > > > > >When being root on an ipa-client, I can su to any IPA user. This is > > >somewhat unexptected behaviour in comparison to Windows. If I am local > > >administrator in a windows AD member server, I cannot become a domain > user. > > >I need to be domain administrator for that. > > > > > >Is it possible to have this "feature" disabled somehow? > > root user on Linux systems by default has CAP_SETUID capability which > > allows to change process uid to a different user. If the capability is > > there, the only way to reduce transition from a specific user to another > > one is by confining it via appropriate security module, for example, > > through properly defined SELinux policy that prevents a root to > > transition to the context of an IPA user. Someone needs to write this > > policy and deploy at IPA clients first. > > I think Fred is actually referring to the pam_rootok.so module that > always returns PAM_SUCCESS if the caller has UID 0. > > Fred, if you comment out the line with "pam_rootok.so" in the file > /etc/pam.d/su can you still log in as any user from root? > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
