Re: nis : how to avoid user1 becoming user2 using local root ?
From: phaser-X (px_at_zeroday.net)
Date: Sun, 28 Mar 2004 18:02:35 -0800 (PST) To: Frédéric Médery <mederyf@LEXUM.UMontreal.CA>
I have the same problem at my office and I found a simple solution that is
very unsecure and can easily be fixed since the user is allowed root on
their workstations, but they also must have an understanding of PAM.
Basically, just edit /etc/pam.d/su and comment out (or remove) the line
that says "auth sufficient /lib/security/pam_rootok.so" .. This
way if the user becomes root locally, and then tries to 'su' to another
user, it will require root to enter that users password in order to change
to that user. Again, if the user has an understanding of PAM, they can
easily fix and be able to 'su' again.
Another solution is to change your NIS master/slave servers to run NIS+ on
a solaris box and use the NIS+ clients for linux. Apparently NIS+ has the
feature to block this. For us, it wasn't a valid solution, and sudo has
too many loopholes so I just stuck with my PAM solution.
Also, make sure you're using a frequent version of sh-utils on the boxes
that you modify pam.d/su on, otherwise you'll have problems using su.
On Fri, 26 Mar 2004, [ISO-8859-1] Frédéric Médery wrote:
> our situation :
> All linux servers, all nfs share use the root_squash option.
> We're using NIS
> All developpers can become root on their local machines.
> The prob : if user1 do a `su -` on their station. And then, `su user2`
> they can become user2.
> For me it's a huge problem (windows don't have this prob, local admin
> are very different from domain/server admin) is there a way to avoid
> this prob ?
> Thanks !