Re: nis : how to avoid user1 becoming user2 using local root ?

From: phaser-X (px_at_zeroday.net)
Date: 03/29/04

  • Next message: Small, Jim: "RE: nis : how to avoid user1 becoming user2 using local root ?"
    Date: Sun, 28 Mar 2004 18:02:35 -0800 (PST)
    To: Frédéric Médery <mederyf@LEXUM.UMontreal.CA>
    
    

    I have the same problem at my office and I found a simple solution that is
    very unsecure and can easily be fixed since the user is allowed root on
    their workstations, but they also must have an understanding of PAM.
    Basically, just edit /etc/pam.d/su and comment out (or remove) the line
    that says "auth sufficient /lib/security/pam_rootok.so" .. This
    way if the user becomes root locally, and then tries to 'su' to another
    user, it will require root to enter that users password in order to change
    to that user. Again, if the user has an understanding of PAM, they can
    easily fix and be able to 'su' again.

    Another solution is to change your NIS master/slave servers to run NIS+ on
    a solaris box and use the NIS+ clients for linux. Apparently NIS+ has the
    feature to block this. For us, it wasn't a valid solution, and sudo has
    too many loopholes so I just stuck with my PAM solution.

    Also, make sure you're using a frequent version of sh-utils on the boxes
    that you modify pam.d/su on, otherwise you'll have problems using su.

    -px

    On Fri, 26 Mar 2004, [ISO-8859-1] Frédéric Médery wrote:

    > our situation :
    > All linux servers, all nfs share use the root_squash option.
    > We're using NIS
    > All developpers can become root on their local machines.
    >
    > The prob : if user1 do a `su -` on their station. And then, `su user2`
    > they can become user2.
    >
    > For me it's a huge problem (windows don't have this prob, local admin
    > are very different from domain/server admin) is there a way to avoid
    > this prob ?
    >
    > Thanks !
    >
    >


  • Next message: Small, Jim: "RE: nis : how to avoid user1 becoming user2 using local root ?"

    Relevant Pages