3

We have an LDAP server set up with our Active Directory. When users login to a Linux machine with LDAP client installed as root, they are able to su - into any Active Directory account without needing that users password. This is a big security risk, does anyone know why this is or how to prevent this?

Preventing root access is not an option unfortunately as it is required by some users in some cases.

Steven
  • 63
  • 1
  • 6

3 Answers3

5

This is standard Unix design and you can't really prevent root from doing anything he wants.

A more secure design would have users use sudo and for the sudo configuration to allow users only to perform the specific tasks they need to perform. Unrestricted sudo should be limited to specific IT staff who need it for maintaining the servers, and the actual root password should be kept in a safe somewhere.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Ah okay. I also wanted to mention that we are using an EMC VNX 5100, but I'm not sure if that is relevant. I guess my question is, why does a local root account have access to AD user accounts through LDAP? – Steven May 08 '13 at 16:35
  • Because that's how it works. Root's privileges override the LDAP auth when it comes to this. Your compensating control would be to limit ROOT access. – ewwhite May 08 '13 at 16:44
  • Right, it's inherent to the operating system design. [Windows doesn't allow for this](http://serverfault.com/q/16886/126632), which is probably why you're confused. – Michael Hampton May 08 '13 at 16:47
  • Okay this makes more sense now. I was told we would sometimes need to give root access. Is there any limitations to having users use sudo instead of using root directly? – Steven May 08 '13 at 16:57
  • Not really. You can either let people run any command, or specify exactly what commands a user may run with `sudo`. And [the benefits](http://serverfault.com/q/416412/126632) greatly outweigh any small inconvenience. – Michael Hampton May 08 '13 at 16:58
  • Alright, we will just have to work with sudo then. This was actually the original plan, but thought there would be a way to simply block root some how. Thanks for the quick responses guys, very helpful! – Steven May 08 '13 at 17:03
  • I also understand it's theoretically possible to stick your sudoers configuration into Active Directory, though don't ask me how. Check the docs. :) – Michael Hampton May 08 '13 at 17:06
1

This is how it's supposed to work.

You CAN prevent or restrict root access, though. I work with healthcare systems, and am subject to all sorts of regulatory and compliance tasks. Our auditors are happy with LDAP authentication, but prefer that we enable sudo access to handle regular users who may need root escalation privileges on occasion.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • This seems like it might be the only way to go in our case then. Thanks for the input. I will continue to do a little more research and post an update if I find anything. – Steven May 08 '13 at 16:45
1

My colleague was able to find a solution to the root accessing LDAP user accounts w/o password issue. There is a parameter in /etc/pam.d/su called pam_rootok.so. This needs to be commented out with #. After this is commented out, root will be prompted for the user's password when attempting to su to it.

Steven
  • 63
  • 1
  • 6
  • 2
    This isn't foolproof; it's pretty trivial to use a `su` binary or equivalent that doesn't bother with PAM and so uses the original semantics, or just write a trivial bit of C code that calls `setuid()` and then `fork()`s a shell. Not to mention that root can just edit `/etc/pam.d/su` and restore this line. – Michael Hampton May 15 '13 at 05:03
  • I thought about this after as well, so it seems using sudo is still the most secure in our scenario since there is nothing to really prevent root from just re-editing the parameter again... – Steven May 15 '13 at 17:08