8:49 a.m.
Hi!
In my network, when some client do login as root (local) he can type "su -l" and
be all another user from ldap.
How can i block this ?
thanks
Marcelo Gomes
11:56 a.m.
You MUST give more information about your system, configs, etc. if you
want an answer.
I supose that you have an openldap server acting as a user account
store, and it's allowing the users of ldap to log in the system. So if
you do a getent passwd you will get all users from the server
(local+ldap).
Logging as root gives you all the privileges (uid 0), and if you don't
uninstall su I think that you will not be able to do what you want.
Root user must be only logged by the root.
I also think that this is not an ldap question.
2009/3/23 Marcelo Gomes <marmitsbr(a)yahoo.com.br>:
Hi!
In my network, when some client do login as root (local) he can type "su -l"
and be all another user from ldap.
How can i block this ?
thanks
Marcelo Gomes
9:58 a.m.
Hi Marcelo,
Even though LiPi has been very gentle and the kind of person you
(don't) want on this list, let me explain what I think is happening.
LiP is right in that this isn't a specific LDAP issue.
On most any default Unix system, one can type su - username and become
that user which is what I've always done to debug env issues relating
to users, user login behavior, etc...
I say most any as I've not played around with all of the Unix/Linux
systems in the world.
However your question is more of a "how do I harden my Unix system?"
which is for another list.
Do a search for "hardening systems from root users" or something like
that.
I would also refrain from giving your system specifics which LiP
requested as those can potentially pose a security threat as I'm sure
there are evil-doers watching any list.
You may also want to explore SELinux.
- Brian
On Mar 23, 2009, at 11:56 AM, LiPi - wrote:
You MUST give more information about your system, configs, etc. if
you
want an answer.
I supose that you have an openldap server acting as a user account
store, and it's allowing the users of ldap to log in the system. So if
you do a getent passwd you will get all users from the server
(local+ldap).
Logging as root gives you all the privileges (uid 0), and if you don't
uninstall su I think that you will not be able to do what you want.
Root user must be only logged by the root.
I also think that this is not an ldap question.
2009/3/23 Marcelo Gomes <marmitsbr(a)yahoo.com.br>:
>
> Hi!
>
> In my network, when some client do login as root (local) he can
> type "su -l" and be all another user from ldap.
>
> How can i block this ?
>
>
> thanks
>
> Marcelo Gomes
>
>
>
>
>
>
3:57 p.m.
Brian Krusic wrote:
Hi Marcelo,
Even though LiPi has been very gentle and the kind of person you
(don't) want on this list, let me explain what I think is happening.
You have that wrong. This list is for technical discussion of LDAP, not Unix
Admin 101.
LiP is right in that this isn't a specific LDAP issue.
End of story.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4889
days inactive
4890
days old
openldap-technical@openldap.org
3 comments
4 participants
participants (4)
-
Brian Krusic -
Howard Chu -
LiPi - -
Marcelo Gomes