Why can a local root turn into any LDAP user?
Posted
by
Daniel Gollás
on Server Fault
See other posts from Server Fault
or by Daniel Gollás
Published on 2014-03-01T03:31:46Z
Indexed on
2014/08/20
4:23 UTC
Read the original article
Hit count: 453
I know this has been asked here before, but I am not satisfied with the answers and don't know if it's ok to revive and hijack an older question.
We have workstations that authenticate users on an LDAP server. However, the local root user can su
into any LDAP user without needing a password. From my perspective this sounds like a huge security problem that I would hope could be avoided at the server level.
I can imagine the following scenario where a user can impersonate another and don't know how to prevent it:
- UserA has limited permissions, but can log into a company workstation using their LDAP password. They can
cat /etc/ldap.conf
and figure out the LDAP server's address and canifconfig
to check out their own IP address. (This is just an example of how to get the LDAP address, I don't think that is usually a secret and obscurity is not hard to overcome) - UserA takes out their own personal laptop, configures authentication and network interfaces to match the company workstation and plugs in the network cable from the workstation to their laptop, boots and logs in as local root (it's his laptop, so he has local root)
- As root, they
su
into any other user on LDAP that may or may not have more permissions (without needing a password!), but at the very least, they can impersonate that user without any problem.
The other answers on here say that this is normal UNIX behavior, but it sounds really insecure.
Can the impersonated user act as that user on an NFS mount for example? (the laptop even has the same IP address). I know they won't be able to act as root on a remote machine, but they can still be any other user they want!
There must be a way to prevent this on the LDAP server level right? Or maybe at the NFS server level? Is there some part of the process that I'm missing that actually prevents this?
Thanks!!
© Server Fault or respective owner