On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> On pe, 12 touko 2017, Thomas Lau wrote:
> > Folks,
> > 
> > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
> > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
> > account is disabled. Did I miss any setting or it's normal?
> This is normal.
> 
> sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:
> 
>  auth         sufficient      pam_rootok.so
> 
> E.g. if su is executed as root, it is enough, no other authentication
> checks are done.

And no authorization checks either becasue there is 

account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to