On Thu, 2020-12-10 at 16:48 +0300, Reco wrote:
> On Thu, Dec 10, 2020 at 03:36:47PM +0200, Andrei POPESCU wrote:
> > On Jo, 10 dec 20, 13:34:55, Reco wrote:
> > > On Thu, Dec 10, 2020 at 12:07:54PM +0200, Andrei POPESCU wrote:
> > > > On Jo, 10 dec 20, 12:52:56, Reco wrote:
> > > > > On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU
> > > > > wrote:
> > > > > > passwd -l/--lock <username>
> > > > > 
> > > > > sudo -u <locked_user> /bin/bash -i
> > > > > 
> > > > > That little trick defeats "locked" account status, an absence
> > > > > of a
> > > > > password and even /usr/sbin/nologin set as a default shell.
> > > > 
> > > > With sudo access one can also unlock the account as well, so
> > > > how is this 
> > > > relevant?
> > > 
> > > Of course it's relevant. The whole point of sudo is to be a
> > > controlled
> > > privilege escalation mechanism.
> > > I.e. you can grant an ordinary user A to execute a certain
> > > binaries with
> > > certain arguments as a different ordinary user B, *and* you do
> > > not have
> > > to provide an ordinary user A an access to root.
> > 
> > At least on Debian sudo has to be explicitly configured to allow a 
> > regular user to use '-u' with another user name. We can only assume
> > the 
> > admin had good reasons to that, possibly on purpose (see below).
> 
> You're correct here, one has to explicitly allow such activity in
> sudoers in Debian and just about any OS I've encountered these years
> (assuming it has sudo, of course).
> 
> I just like to remind you the original question:
> 
> Is there a way to put an account "beyond use", in any way including
> su,
> sudo etc,

Which, IMO, is a rather bogus question in the context that preceded
that question, namely "having unneeded users on a given machine could
be a security threat, at least in the sense that it provides a greater
than necessary attackable surface area"

Why would you execute sudo or su on the target machine to change to one
of these unneeded users, presumably you can do whatever mischief is
your aim by using the account you are executing su or sudo from. Or by
changing to another valid user on that machine if you are a legitimate
user and were trying to cover your tracks.

-- 
Tixy


Reply via email to