On Jo, 10 dec 20, 13:34:55, Reco wrote: > On Thu, Dec 10, 2020 at 12:07:54PM +0200, Andrei POPESCU wrote: > > On Jo, 10 dec 20, 12:52:56, Reco wrote: > > > On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote: > > > > > > > > passwd -l/--lock <username> > > > > > > sudo -u <locked_user> /bin/bash -i > > > > > > That little trick defeats "locked" account status, an absence of a > > > password and even /usr/sbin/nologin set as a default shell. > > > > With sudo access one can also unlock the account as well, so how is this > > relevant? > > Of course it's relevant. The whole point of sudo is to be a controlled > privilege escalation mechanism. > I.e. you can grant an ordinary user A to execute a certain binaries with > certain arguments as a different ordinary user B, *and* you do not have > to provide an ordinary user A an access to root. At least on Debian sudo has to be explicitly configured to allow a regular user to use '-u' with another user name. We can only assume the admin had good reasons to that, possibly on purpose (see below). It's probably unpractical to consider all ways in which the admin can compromise the security of the system. > Also, passwd(1): > > -l, --lock > Note that this does not disable the account. The user may still > be able to login using another authentication token (e.g. an SSH key). > To disable the account, administrators should use usermod --expiredate 1 > (this set the account's expire date to Jan 2, 1970). Users with a > locked password are not allowed to change their password. As I said, there are limitations, that may or may not be desired, e.g. I'm using the SSH access option, because 'systemctl --user' doesn't work via 'sudo -u' (and it's a remote system anyway). Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature