[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: User root from client can be all another users

Hi Marcelo,

Even though LiPi has been very gentle and the kind of person you (don't) want on this list, let me explain what I think is happening.

LiP is right in that this isn't a specific LDAP issue.

On most any default Unix system, one can type su - username and become that user which is what I've always done to debug env issues relating to users, user login behavior, etc...

I say most any as I've not played around with all of the Unix/Linux systems in the world.

However your question is more of a "how do I harden my Unix system?" which is for another list.

Do a search for "hardening systems from root users" or something like that.

I would also refrain from giving your system specifics which LiP requested as those can potentially pose a security threat as I'm sure there are evil-doers watching any list.

You may also want to explore SELinux.

- Brian

On Mar 23, 2009, at 11:56 AM, LiPi - wrote:

You MUST give more information about your system, configs, etc. if you
want an answer.

I supose that you have an openldap server acting as a user account
store, and it's allowing the users of ldap to log in the system. So if
you do a getent passwd you will get all users from the server

Logging as root gives you all the privileges (uid 0), and if you don't
uninstall su I think that you will not be able to do what you want.
Root user must be only logged by the root.

I also think that this is not an ldap question.

2009/3/23 Marcelo Gomes <marmitsbr@yahoo.com.br>:


In my network, when some client do login as root (local) he can type "su -l" and be all another user from ldap.

How can i block this ?


Marcelo Gomes