Hi!
In my network, when some client do login as root (local) he can type "su -l" and be all another user from ldap.
How can i block this ?
thanks
Marcelo Gomes
You MUST give more information about your system, configs, etc. if you want an answer.
I supose that you have an openldap server acting as a user account store, and it's allowing the users of ldap to log in the system. So if you do a getent passwd you will get all users from the server (local+ldap).
Logging as root gives you all the privileges (uid 0), and if you don't uninstall su I think that you will not be able to do what you want. Root user must be only logged by the root.
I also think that this is not an ldap question.
2009/3/23 Marcelo Gomes marmitsbr@yahoo.com.br:
Hi!
In my network, when some client do login as root (local) he can type "su -l" and be all another user from ldap.
How can i block this ?
thanks
Marcelo Gomes
Hi Marcelo,
Even though LiPi has been very gentle and the kind of person you (don't) want on this list, let me explain what I think is happening.
LiP is right in that this isn't a specific LDAP issue.
On most any default Unix system, one can type su - username and become that user which is what I've always done to debug env issues relating to users, user login behavior, etc...
I say most any as I've not played around with all of the Unix/Linux systems in the world.
However your question is more of a "how do I harden my Unix system?" which is for another list.
Do a search for "hardening systems from root users" or something like that.
I would also refrain from giving your system specifics which LiP requested as those can potentially pose a security threat as I'm sure there are evil-doers watching any list.
You may also want to explore SELinux.
- Brian
On Mar 23, 2009, at 11:56 AM, LiPi - wrote:
You MUST give more information about your system, configs, etc. if you want an answer.
I supose that you have an openldap server acting as a user account store, and it's allowing the users of ldap to log in the system. So if you do a getent passwd you will get all users from the server (local+ldap).
Logging as root gives you all the privileges (uid 0), and if you don't uninstall su I think that you will not be able to do what you want. Root user must be only logged by the root.
I also think that this is not an ldap question.
2009/3/23 Marcelo Gomes marmitsbr@yahoo.com.br:
Hi!
In my network, when some client do login as root (local) he can type "su -l" and be all another user from ldap.
How can i block this ?
thanks
Marcelo Gomes
Brian Krusic wrote:
Hi Marcelo,
Even though LiPi has been very gentle and the kind of person you (don't) want on this list, let me explain what I think is happening.
You have that wrong. This list is for technical discussion of LDAP, not Unix Admin 101.
LiP is right in that this isn't a specific LDAP issue.
End of story.
openldap-technical@openldap.org
-
Brian Krusic -
Howard Chu -
LiPi - -
Marcelo Gomes