1

I know that root can modify any config file.

As a best practice, I would like to disable the capacity for root to su on accounts which authenticates against NIS or Active Directory.

As a best practice, I would like to allow root to su only on local accounts. My definition of a local account is any line with an id in /etc/passwd (because of the +user:::::: for NIS access).

I guess it would involve modifying the pam config, but I'm not clear on the how.

Improve this question
3
  • Are you asking about restricting root from doing certain things? Usually, root is not restricted from doing anything. Commented Mar 6, 2023 at 6:27
  • @Kusalananda yes. On some hosts, at least, we don't want root to be able to impersonate as "network users", i.e users coming from ldap/sssd Commented Mar 7, 2023 at 7:53
  • As root can't be restricted in the way you describe (being the super-user means operating without restrictions), I propose that your issue is mostly a social problem. The people with root access would need to work with an agreed set of operational rules, one of which is not to impersonate a network user. Commented Mar 7, 2023 at 9:32

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.