[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions on NFS mounts

On Thu, Dec 10, 2020 at 12:07:54PM +0200, Andrei POPESCU wrote:
> On Jo, 10 dec 20, 12:52:56, Reco wrote:
> > On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote:
> > > 
> > > passwd -l/--lock <username>
> > 
> > sudo -u <locked_user> /bin/bash -i
> > 
> > That little trick defeats "locked" account status, an absence of a
> > password and even /usr/sbin/nologin set as a default shell.
> 
> With sudo access one can also unlock the account as well, so how is this 
> relevant?

Of course it's relevant. The whole point of sudo is to be a controlled
privilege escalation mechanism.
I.e. you can grant an ordinary user A to execute a certain binaries with
certain arguments as a different ordinary user B, *and* you do not have
to provide an ordinary user A an access to root.

Also, passwd(1):

  -l, --lock
	   Note that this does not disable the account. The user may still
be able to login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod --expiredate 1
(this set the account's expire date to Jan 2, 1970).  Users with a
locked password are not allowed to change their password.

Reco
Reply to: