[ale] Service account allows sudo but no login
Jim Kinney
jim.kinney at gmail.com
Mon Aug 5 11:47:50 EDT 2013
As root, su -s will provide a shell. As wheel group member with sudo, same
results. As non-root user, no.
Seems like there should be a way to close off those with Pam but I've not
thought about it before now. SeLinux will block su transitions easily.
On Aug 5, 2013 11:15 AM, "Derek Atkins" <warlord at mit.edu> wrote:
> Jim Kinney <jim.kinney at gmail.com> writes:
>
> > These accounts can't be su'ed to :
> > # grep nologin /etc/passwd
> > bin:x:1:1:bin:/bin:/sbin/nologin
> > daemon:x:2:2:daemon:/sbin:/sbin/nologin
> > adm:x:3:4:adm:/var/adm:/sbin/nologin
> > lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
> >
> > # su - bin
> > This account is currently not available.
> > # su - lp
> > This account is currently not available.
>
> You could still su to these accounts by providing su a shell:
>
> su -s /bin/bash - bin
>
> -derek
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord at MIT.EDU PGP key available
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130805/113d1054/attachment.html>
More information about the Ale
mailing list