2

On Linux we authenticate users against AD. The AD users are not listed on /etc/passwd.

We are about to deploy a NFS solution to mount some extra space for each group of users.

If a user(A) with sudo su privileges goes to root, then he can impersonate user(B) just by su user(B) and going to the NFS.

Is there any way to disallow root to su user if the user is not listed on /etc/passwd ?

jscott
  • 24,204
  • 8
  • 77
  • 99
Marc Riera
  • 1,587
  • 4
  • 21
  • 38

3 Answers3

3

If you're going to give User A root privileges then no, you can't restrict them from doing anything (no matter what blocks you put in place, root can always get around them; with a very few exceptions). You should add User A to sudoers and tightly configure what programs they can or can not run.

Chris S
  • 77,337
  • 11
  • 120
  • 212
2

Doesn't answer your direct question, but I think your issue is with NFS, not sudo/su - you're going to have this problem anytime you use NFSv3 as it relies on UIDs to enforce access permissions.

Even if you did somehow prevent users from switching to root and back to another UID, a malicious user could simply connect their own device or boot a different OS inplace of your specially configured system and overcome the protection.

Have you considered using NFSv4? It uses Kerberos to authenticate mount requests and enforce access permissions so wouldn't be vulnerable to this happening.

James Yale
  • 5,042
  • 1
  • 16
  • 20
  • nfs does not depend on me, it will come from an hitachy NAS which give us crossed credentials for samba and nfs to the same filesystem. – Marc Riera Dec 23 '10 at 16:07
0

I think you should re-think your problem. I don't know of any way to achieve what you want but... if you have a user with sudo ALL privileges that you don't completely trust, then you should restrict that privileges.

chmeee
  • 7,270
  • 3
  • 29
  • 43