[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: ssh -l root getting context staff_t is pointless

From: Stephen Smalley <sds epoch ncsc mil>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: ssh -l root getting context staff_t is pointless
Date: Mon, 05 Apr 2004 07:47:25 -0400

On Sun, 2004-04-04 at 03:05, Alexandre Oliva wrote:
> I read previous discussions about it here.  The argument IIRC is that
> making the default context staff_t adds a little bit of security.
> 
> IMHO, it adds no security whatsoever, since
> `ssh -l root hostname -t su -' gets you to sysadm_r without asking for
> a password.

Do you have unlimitedUsers enabled in policy/tunable.te?  That might
explain it.  Otherwise, the su should require re-authentication, as
staff_t isn't normally authorized to skip authentication for pam_rootok.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

Follow-Ups:
- Re: ssh -l root getting context staff_t is pointless
  - From: Alexandre Oliva

References:
- ssh -l root getting context staff_t is pointless
  - From: Alexandre Oliva

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]