Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote: > On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > > On pe, 12 touko 2017, Thomas Lau wrote: > > > Folks, > > > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how > > > come > > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA > > > even > > > account is disabled. Did I miss any setting or it's normal? > > This is normal. > > > > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: > > > > auth sufficient pam_rootok.so > > > > E.g. if su is executed as root, it is enough, no other authentication > > checks are done. > > And no authorization checks either becasue there is > > account sufficient pam_succeed_if.so uid = 0 use_uid quiet and btw, this is completely unrelated to .k5login, even if you remove tho...@domain.com from the file it would still work. bye, Sumit > > > > > -- > > / Alexander Bokovoy > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA
On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > On pe, 12 touko 2017, Thomas Lau wrote: > > Folks, > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even > > account is disabled. Did I miss any setting or it's normal? > This is normal. > > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: > > auth sufficient pam_rootok.so > > E.g. if su is executed as root, it is enough, no other authentication > checks are done. And no authorization checks either becasue there is account sufficient pam_succeed_if.so uid = 0 use_uid quiet bye, Sumit > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA
On pe, 12 touko 2017, Thomas Lau wrote: Folks, let's say I am user thomas, and user "temp1" already marked as "disabled" on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even account is disabled. Did I miss any setting or it's normal? This is normal. sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: auth sufficient pam_rootok.so E.g. if su is executed as root, it is enough, no other authentication checks are done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] k5login loophole even account is disabled on FreeIPA
Folks, let's say I am user thomas, and user "temp1" already marked as "disabled" on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even account is disabled. Did I miss any setting or it's normal? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project