Re: User root from client can be all another users

[Brian Krusic <brian@krusic.com>]

Hi Marcelo,

Even though LiPi has been very gentle and the kind of person you  
(don't) want on this list, let me explain what I think is happening.

LiP is right in that this isn't a specific LDAP issue.

On most any default Unix system, one can type su - username and become  
that user which is what I've always done to debug env issues relating  
to users, user login behavior,  etc...

I say most any as I've not played around with all of the Unix/Linux  
systems in the world.

However your question is more of a "how do I harden my Unix system?"  
which is for another list.

Do a search for "hardening systems from root users" or something like  
that.

I would also refrain from giving your system specifics which LiP  
requested as those can potentially pose a security threat as I'm sure  
there are evil-doers watching any list.

You may also want to explore SELinux.

- Brian




On Mar 23, 2009, at 11:56 AM, LiPi - wrote:

> You MUST give more information about your system, configs, etc. if you
> want an answer.
>
> I supose that you have an openldap server acting as a user account
> store, and it's allowing the users of ldap to log in the system. So if
> you do a getent passwd you will get all users from the server
> (local+ldap).
>
> Logging as root gives you all the privileges (uid 0), and if you don't
> uninstall su I think that you will not be able to do what you want.
> Root user must be only logged by the root.
>
> I also think that this is not an ldap question.
>
> 2009/3/23 Marcelo Gomes <marmitsbr@yahoo.com.br>:
> > Hi!
> >
> > In my network, when some client do login as root (local) he can  
> > type "su -l" and be all another user from ldap.
> >
> > How can i block this ?
> >
> >
> > thanks
> >
> > Marcelo Gomes