Privileges when doing sudo to another domain user

linux authentication sudo upstart kerberos

Suppose I have a corporate domain mydomain using MS Active Directory. In the domain I have the users myuser and youruser. Now, on one specific Ubuntu machine mymachine, myuser has sudo rights, and does sudo su youruser (or sudo -u youruser sh). Since myuser has the necessary sudoers config, he does not need to enter youruser's password, and will effectively become youruser on that machine.

  1. What kind of youruser privileges will myuser have at this point? Obviously, if youruser also has a home directory on the machine, myuser can now access it and read his private local files. But what will happen if trying to access a network domain resource using kerberos, samba etc? I guess since he has never entered youruser's password he is not authenticated as a domain user, does not have a kerberos ticket etc. So if there's a network service that checks group memberships for his user id, will that also fail? How does this work? Is he considered to be a different user, say, mymachine\\youruser as opposed to mydomain\\youruser?

  2. Suppose there's a web service running as a daemon on the machine, using a dedicated domain user myserviceuser. If this web service needs to access network resources, i.e., authenticate with Kerberos, how should the daemon be set up, for example from an upstart script? Normally you start it using something like sudo -u myserviceuser <cmd>, but given the above assumptions, will this grant the web service any rights to access network resources? Shouldn't the password for this user have to be entered somewhere?


There's not nearly enough clear documentation on this stuff IMO.

  1. You are right - if a service is protected by kerberos then su/sudo is not sufficient to bypass the necessary authorisation (UNLESS the target user has a cached ticket because they are currently logged on, or a keytab). Most resources (eg local filesystem) rely on uidnumber and gidnumber to identify a user, and can be bypassed by root/sudo access

  2. This is a fun one that i an dealing with presently at work. Say a service account apache needs to access a kerberised NFS share. You need to export a keytab for apache to the local filesystem and source that when the service starts, periodically renewing its ticket via perhaps cron. RHEL7 has gssproxy, which appears to simplify this but i haven't got to that point yet.

A keytab is effectively a saved credential. If someone can access it, they can masquerade as that user. Exporting a new keytab in IPA and AD changes the account's password.

Microsoft kerberos is slightly different but most rules still apply.

Related

Getting application logs. Command failed on instance
How to find source of system running slow clock?
NFS mount on Windows 8 non-enterprise
WSUS downloading driver updates every night
Stop nginx reverse proxy from redirecting
CPU parking, windows 2012r2, with no hyper threading
svnserve+sasl+ldap : saslauthd not contacted?
Server 2012 R2 Exchange 2013 Handle Leak
Whitelisting outgoing traffic from docker containers
PHP unable to mail() in chroot though I can use sendmail inside chroot
Server 2012 R2 unexpected crash DRIVER_IRQL_NOT_LESS_OR_EQUAL
Why does Windows Server 2012 R2 Standard edition show only 20% of my available memory?