Security wise this is a horrible idea. If you have uid 0 you are effectively root. There should only be one root for any Linux system. This is what sudo is made for. If you really think you need to run as root sudo bash or something. Not that I’m recommending that, but it’s at least better than having a bunch of accounts with root access on your servers.

 

From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of mathias dufresne
Sent: Monday, November 02, 2015 7:16 AM
To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users] SSSD and accounts with UID = 0

 

Hi all,

 

I'm trying to define in my AD administrative accounts for Linux boxes. To do that I initially thought to create nominative account with some suffix (ex: <username>_adm) and give them UID=0 to make them root accounts.

 

As SSSD comes with filtering option to avoid some users or groups can connect on some given system using SSSD, I would have added these users to some groups and finally grant access to one admins group to a first bunch of systems, the secodn admins group to a second bunch of systems, etc...

 

Reading doc and man pages about SSSD sometimes it seems to say that is possible to have users retrieved by SSSD when they have UID = 0, sometimes it says it is not possible.

 

For example: man sssd.conf on Centos 7 (sssd 1.12.2 - 1.12.2-58.el7_1.17.x86_64) gives:

pam_trusted_users (string)

           Specifies the comma-separated list of UID values or user names that are allowed to access

           the PAM responder. User names are resolved to UIDs at startup.

 

           Default: all (All users are allowed to access the PAM responder)

 

           Please note that UID 0 is always allowed to access the PAM responder even in case it is

           not in the pam_trusted_users list.

 

As man pages says users with "UID 0 is always allowed..." I would expected this refers users retrieved by SSSD, so that SSSD accept to retrieve users with UID=0.

 

Unfortunately even adding "min_id = 0" in my sssd.conf SSSD refuse to show uid=0 users.

 

In SSSD logs I have ldapserach filter shown as follow:

(&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)(!(uidNumber=0))))

 

And somewhere I read this is by design that now SSSD refuses to allow users with UID=0.

 

As all that is not too clear for me, where are we now, are users with UID=0 allowed or not?

 

Cheers,

 

mathias