[ale] Service account allows sudo but no login
Jim Kinney
jim.kinney at gmail.com
Mon Aug 5 12:06:46 EDT 2013
also note that bin user is not blocked from having a login as per setup in
/etc/shadow:
# grep "^bin" /etc/shadow
bin:*:15628:0:99999:7:::
# grep "^bin" /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
So root or root-like _can_ create a shell for bin and su to bin.
however:
# grep "^postfix" /etc/shadow
postfix:!!:15824::::::
# grep "^postfix" /etc/passwd
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
This will block su but again will not block su -s <valid shell> from
root-like accounts.
So, yeah, now I'm really interested in beating up some pam rules that will
totally block all su access if both no shell AND login with password is
blocked in shadow. Not that it will make much difference as it will require
root to access through this process anyway and root can modify the shadow
file (unless locked by selinux).
On Mon, Aug 5, 2013 at 11:47 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
> As root, su -s will provide a shell. As wheel group member with sudo, same
> results. As non-root user, no.
>
> Seems like there should be a way to close off those with Pam but I've not
> thought about it before now. SeLinux will block su transitions easily.
> On Aug 5, 2013 11:15 AM, "Derek Atkins" <warlord at mit.edu> wrote:
>
>> Jim Kinney <jim.kinney at gmail.com> writes:
>>
>> > These accounts can't be su'ed to :
>> > # grep nologin /etc/passwd
>> > bin:x:1:1:bin:/bin:/sbin/nologin
>> > daemon:x:2:2:daemon:/sbin:/sbin/nologin
>> > adm:x:3:4:adm:/var/adm:/sbin/nologin
>> > lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
>> >
>> > # su - bin
>> > This account is currently not available.
>> > # su - lp
>> > This account is currently not available.
>>
>> You could still su to these accounts by providing su a shell:
>>
>> su -s /bin/bash - bin
>>
>> -derek
>>
>> --
>> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>> Member, MIT Student Information Processing Board (SIPB)
>> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
>> warlord at MIT.EDU PGP key available
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
--
--
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130805/28d5e49a/attachment-0001.html>
More information about the Ale
mailing list