[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions on NFS mounts

On Jo, 10 dec 20, 13:34:55, Reco wrote:
> On Thu, Dec 10, 2020 at 12:07:54PM +0200, Andrei POPESCU wrote:
> > On Jo, 10 dec 20, 12:52:56, Reco wrote:
> > > On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote:
> > > > 
> > > > passwd -l/--lock <username>
> > > 
> > > sudo -u <locked_user> /bin/bash -i
> > > 
> > > That little trick defeats "locked" account status, an absence of a
> > > password and even /usr/sbin/nologin set as a default shell.
> > 
> > With sudo access one can also unlock the account as well, so how is this 
> > relevant?
> Of course it's relevant. The whole point of sudo is to be a controlled
> privilege escalation mechanism.
> I.e. you can grant an ordinary user A to execute a certain binaries with
> certain arguments as a different ordinary user B, *and* you do not have
> to provide an ordinary user A an access to root.

At least on Debian sudo has to be explicitly configured to allow a 
regular user to use '-u' with another user name. We can only assume the 
admin had good reasons to that, possibly on purpose (see below).

It's probably unpractical to consider all ways in which the admin can 
compromise the security of the system.
> Also, passwd(1):
>   -l, --lock
> 	   Note that this does not disable the account. The user may still
> be able to login using another authentication token (e.g. an SSH key).
> To disable the account, administrators should use usermod --expiredate 1
> (this set the account's expire date to Jan 2, 1970).  Users with a
> locked password are not allowed to change their password.

As I said, there are limitations, that may or may not be desired, e.g. 
I'm using the SSH access option, because 'systemctl --user' doesn't work 
via 'sudo -u' (and it's a remote system anyway).

Kind regards,

Attachment: signature.asc
Description: PGP signature

Reply to: