<div dir="ltr"><div><div><div><div>also note that bin user is not blocked from having a login as per setup in /etc/shadow:<br><br># grep "^bin" /etc/shadow<br>bin:*:15628:0:99999:7:::<br># grep "^bin" /etc/passwd<br>
bin:x:1:1:bin:/bin:/sbin/nologin<br><br></div>So root or root-like _can_ create a shell for bin and su to bin.<br><br></div>however:<br><br># grep "^postfix" /etc/shadow<br>postfix:!!:15824::::::<br># grep "^postfix" /etc/passwd<br>
postfix:x:89:89::/var/spool/postfix:/sbin/nologin<br><br></div>This will block su but again will not block su -s <valid shell> from root-like accounts.<br><br></div>So, yeah, now I'm really interested in beating up some pam rules that will totally block all su access if both no shell AND login with password is blocked in shadow. Not that it will make much difference as it will require root to access through this process anyway and root can modify the shadow file (unless locked by selinux).<br>
<div><div><br><br><br><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 5, 2013 at 11:47 AM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">As root, su -s will provide a shell. As wheel group member with sudo, same results. As non-root user, no.</p>
<p dir="ltr">Seems like there should be a way to close off those with Pam but I've not thought about it before now. SeLinux will block su transitions easily.</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Aug 5, 2013 11:15 AM, "Derek Atkins" <<a href="mailto:warlord@mit.edu" target="_blank">warlord@mit.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jim Kinney <<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>> writes:<br>
<br>
> These accounts can't be su'ed to :<br>
> # grep nologin /etc/passwd<br>
> bin:x:1:1:bin:/bin:/sbin/nologin<br>
> daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>
> adm:x:3:4:adm:/var/adm:/sbin/nologin<br>
> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>
><br>
> # su - bin<br>
> This account is currently not available.<br>
> # su - lp<br>
> This account is currently not available.<br>
<br>
You could still su to these accounts by providing su a shell:<br>
<br>
su -s /bin/bash - bin<br>
<br>
-derek<br>
<br>
--<br>
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory<br>
Member, MIT Student Information Processing Board (SIPB)<br>
URL: <a href="http://web.mit.edu/warlord/" target="_blank">http://web.mit.edu/warlord/</a> PP-ASEL-IA N1NWH<br>
<a href="mailto:warlord@MIT.EDU" target="_blank">warlord@MIT.EDU</a> PGP key available<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>
</div>