Applies to: All versions of Centrify DirectControl on All Platforms
Question:
Is it possible to configure dzdo rights, so that user can "su - *", except for "su - root"?
In other words,
su - user1
su - user2
...
su - alluser
- are allowed;
su - root
- is not allowed.
Answer:
(Note: This is only an example showing how to negate certain syntax (ie. "su -" / "su - root" / "su - root *" / "su - ") for a defined privilege command "su - *. This KB does not aim to block all the ways for an user to switch to root.)
To achieve this, define the two Command Rights below, add these two Command Rights to a Role and then assign this Role to the target user:
su - * (Glob expressions)
!su -($| root($| .*)) (Regular expressions) - This blocks "su -" / "su - root" / "su - root *" / "su - "
After assigning the Command Rights to a target user, go to the UNIX machine and run the command below to update the local cache:
adflush -f
Run "dzinfo <target AD user>" and make sure the command rights can be seen in the output.
For example:
==========
[root@RedHat Desktop]# dzinfo fred.thomas
User: fred.thomas
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
login/FIN Yes None
FinDSA/FIN Yes None
login/Global Yes None
Effective rights:
Password login
Non password login
Allow normal shell
Audit level:
AuditIfPossible
Always permit login:
false
PAM Application Avail Source Roles
--------------- ----- --------------------
* Yes login/Global
* Yes FinDSA/FIN
* Yes login/FIN
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
su to all/FIN Yes su - * FinDSA/FIN
Block su to Yes !su -($| root($| FinDSA/FIN
root/FIN .*))
ALL/FIN Yes * login/FIN
ls -al/FIN Yes ls -al login/FIN
ls/FIN Yes ls login/FIN
Commands in restricted environment:
Name Avail Command Run As
--------------- ----- -------------------- ----------
su to all/FIN Yes su - * self
Block su to Yes !su -($| root($| self
root/FIN .*))
ALL/FIN Yes * self
ls -al/FIN Yes ls -al self
ls/FIN Yes ls self
==========
With the both Command Rights assigned to fred.thomas, fred.thomas can now only "dzdo su - <anyone except root>":
==========
[root@RedHat Desktop]# su - fred.thomas
[fred.thomas@RedHat ~]$ dzdo su - test2
It can only run as user root, default to run as root
[test2@RedHat ~]$ exit
logout
[fred.thomas@RedHat ~]$ dzdo su - root
Sorry, user fred.thomas is not allowed to execute '/bin/su - root' as root on RedHat.
==========
Without the second Command Right, fred.thomas can "dzdo su - <any user including root>":
==========
[root@RedHat Desktop]# dzinfo fred.thomas
User: fred.thomas
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
login/FIN Yes None
FinDSA/FIN Yes None
login/Global Yes None
Effective rights:
Password login
Non password login
Allow normal shell
Audit level:
AuditIfPossible
Always permit login:
false
PAM Application Avail Source Roles
--------------- ----- --------------------
* Yes login/Global
* Yes FinDSA/FIN
* Yes login/FIN
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
su to all/FIN Yes su - * FinDSA/FIN
ALL/FIN Yes * login/FIN
ls -al/FIN Yes ls -al login/FIN
ls/FIN Yes ls login/FIN
Commands in restricted environment:
Name Avail Command Run As
--------------- ----- -------------------- ----------
su to all/FIN Yes su - * self
ALL/FIN Yes * self
ls -al/FIN Yes ls -al self
ls/FIN Yes ls self
[root@RedHat Desktop]# su - fred.thomas
[fred.thomas@RedHat ~]$ dzdo su - test2
It can only run as user root, default to run as root
[test2@RedHat ~]$ exit
logout
[fred.thomas@RedHat ~]$ dzdo su - root
It can only run as user root, default to run as root
[root@RedHat ~]# exit
logout
==========
SECURITY NOTES
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!
’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!
’ elements in the user specification.