Would it not be possible for root to disable selinux enforcement? A user could maybe even use a livecd if root couldn't be gained directly.
I'm looking at joining workstations to an idm realm, but some users will need sudo permissions on their machines. Is there any documentation on best practices here? Has there been any further discussion on the best way to approach this problem? Thanks, *Steve Dainard * IT Infrastructure Manager Miovision <http://miovision.com/> | *Rethink Traffic* *Blog <http://miovision.com/blog> | **LinkedIn <https://www.linkedin.com/company/miovision-technologies> | Twitter <https://twitter.com/miovision> | Facebook <https://www.facebook.com/miovision>* ------------------------------ Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Fri, Nov 29, 2013 at 9:41 AM, Martin Kosek <mko...@redhat.com> wrote: > On 11/29/2013 03:17 PM, Jakub Hrozek wrote: > > On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: > >> Jakub, > >> > >> Yes, I could do this. But then the local root account cannot su to local > >> users (without password). But that is actually a normal use-case. I just > >> think local root should not be allowed to transition to a domain user, > by > >> default. > >> > >> Fred > > > > Ah, in that case I'm not sure if there's an easy solution, at least I > > don't know any off hand. I think Alexander is right that SELinux would > > be a good choice. > > Right. Root could uncomment the pam_rootok.so line anyway if he wanted to > access other user's account again. > > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users