Re: Permissions on NFS mounts

To: debian-user@lists.debian.org
Subject: Re: Permissions on NFS mounts
From: Tixy <tixy@yxit.co.uk>
Date: Thu, 10 Dec 2020 15:35:50 +0000
Message-id: <[🔎] 6558e1e331b409e6a2e98742a257b1efaf0af784.camel@yxit.co.uk>
In-reply-to: <[🔎] E1knMJA-00085G-Ck@enotuniq.net>
References: <[🔎] 20201209203821.GE19128@dudley.mars.lan> <[🔎] 20201209205410.GA23215@randomstring.org> <[🔎] 20201210091042.n4tmwto3mk6jtkyx@kazuki> <[🔎] 20201210094602.dfcl4ndjwbs2rioj@acr13.nuvreauspam> <[🔎] E1knId6-0007oL-Dw@enotuniq.net> <[🔎] 20201210100754.wwxo24eikf6n2xvo@acr13.nuvreauspam> <[🔎] E1knJHk-0007pv-40@enotuniq.net> <[🔎] 20201210133647.lq4zas2q6gau7bog@acr13.nuvreauspam> <[🔎] E1knMJA-00085G-Ck@enotuniq.net>

On Thu, 2020-12-10 at 16:48 +0300, Reco wrote:
> On Thu, Dec 10, 2020 at 03:36:47PM +0200, Andrei POPESCU wrote:
> > On Jo, 10 dec 20, 13:34:55, Reco wrote:
> > > On Thu, Dec 10, 2020 at 12:07:54PM +0200, Andrei POPESCU wrote:
> > > > On Jo, 10 dec 20, 12:52:56, Reco wrote:
> > > > > On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU
> > > > > wrote:
> > > > > > passwd -l/--lock <username>
> > > > > 
> > > > > sudo -u <locked_user> /bin/bash -i
> > > > > 
> > > > > That little trick defeats "locked" account status, an absence
> > > > > of a
> > > > > password and even /usr/sbin/nologin set as a default shell.
> > > > 
> > > > With sudo access one can also unlock the account as well, so
> > > > how is this 
> > > > relevant?
> > > 
> > > Of course it's relevant. The whole point of sudo is to be a
> > > controlled
> > > privilege escalation mechanism.
> > > I.e. you can grant an ordinary user A to execute a certain
> > > binaries with
> > > certain arguments as a different ordinary user B, *and* you do
> > > not have
> > > to provide an ordinary user A an access to root.
> > 
> > At least on Debian sudo has to be explicitly configured to allow a 
> > regular user to use '-u' with another user name. We can only assume
> > the 
> > admin had good reasons to that, possibly on purpose (see below).
> 
> You're correct here, one has to explicitly allow such activity in
> sudoers in Debian and just about any OS I've encountered these years
> (assuming it has sudo, of course).
> 
> I just like to remind you the original question:
> 
> Is there a way to put an account "beyond use", in any way including
> su,
> sudo etc,

Which, IMO, is a rather bogus question in the context that preceded
that question, namely "having unneeded users on a given machine could
be a security threat, at least in the sense that it provides a greater
than necessary attackable surface area"

Why would you execute sudo or su on the target machine to change to one
of these unneeded users, presumably you can do whatever mischief is
your aim by using the account you are executing su or sudo from. Or by
changing to another valid user on that machine if you are a legitimate
user and were trying to cover your tracks.

-- 
Tixy

Reply to:

Follow-Ups:
- Re: Permissions on NFS mounts
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

References:
- Permissions on NFS mounts
  - From: Paul M Foster <paulf@quillandmouse.com>
- Re: Permissions on NFS mounts
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Permissions on NFS mounts
  - From: Mark Fletcher <mark27q1@gmail.com>
- Re: Permissions on NFS mounts
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Permissions on NFS mounts
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Permissions on NFS mounts
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Permissions on NFS mounts
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Permissions on NFS mounts
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Permissions on NFS mounts
  - From: Reco <recoverym4n@enotuniq.net>

Prev by Date: Re: Select which system to boot while rebooting
Next by Date: Re: Permissions on NFS mounts
Previous by thread: Re: Permissions on NFS mounts
Next by thread: Re: Permissions on NFS mounts
Index(es):
- Date
- Thread