ssh -l root getting context staff_t is pointless
Stephen Smalley
sds at epoch.ncsc.mil
Mon Apr 5 11:47:25 UTC 2004
On Sun, 2004-04-04 at 03:05, Alexandre Oliva wrote:
> I read previous discussions about it here. The argument IIRC is that
> making the default context staff_t adds a little bit of security.
>
> IMHO, it adds no security whatsoever, since
> `ssh -l root hostname -t su -' gets you to sysadm_r without asking for
> a password.
Do you have unlimitedUsers enabled in policy/tunable.te? That might
explain it. Otherwise, the su should require re-authentication, as
staff_t isn't normally authorized to skip authentication for pam_rootok.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list