Under some configurations AD admin users can become root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
likewise-open (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: likewise-open
I'm currently evaluating replacing my company's Red Hat and Windows servers with Ubuntu wherever possible. I've joined our first server to our Active Directory domain using likewise-open. The main function of that server is a Samba file server. I (mostly) followed the instructions here:
https:/
The problem:
I have an Active Directory account called "root", ie: domain\root. At the login screen, I've confirmed that I can log in as any Active Directory user. When I select "other" user, and log in as domain\root. When I log in as domain\root, I actually am logged in as local root, and able to do anything without sudo-ing(but AFAIK also able to access the all of the AD functionality).
The (potential) vulnerability:
Any AD user with the ability to create user accounts(or attackers who have gained admin rights to AD) could conceivably create an AD account called root, and use it to log into any AD-joined Ubuntu box as local root.
Things to note:
domain\root is in the sudoers file via an AD group, but shouldn't actually be local root.
I did symlink the 2 secrets databases as described in the above link, and both root accounts do have the same password.
I have another account with the same exact same rights as domain\root, but it does not have root access without sudo-ing when logged in.
I have changed local root's password from the default with passwd (which I guess enables local root login)
The Samba server is NOT a domain controller
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: likewise-open (not installed)
ProcVersionSign
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
Date: Wed Jun 8 20:40:26 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Beta amd64 (20110416)
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: likewise-open
UpgradeStatus: Upgraded to natty on 2011-04-21 (48 days ago)
visibility: | private → public |
summary: |
- Security vulnerability, AD admin users can become root + Under some configurations AD admin users can become root |
I have forwarded this to upstream likewise-open and am awaiting a response.