Comment 9 for bug 794789
Revision history for this message
| Jeff H (jahtech-android-apps) wrote Re: Security vulnerability, AD admin users can become root | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
eee2d0b
(Get the code!)
Actually, let me re-clarify one more point:
AD admin users with access to the *NIX groups OU could add people to that AD sudoers group, however, the group itself isn't advertised as offering that functionality, so that's the "security through obscurity" approach. However, the ability to gain access to that OU is limited to Domain and Enterprise Admin accounts, which is not most AD administrators, as the best practice is to NOT give all of your AD admin folks Domain Admin accounts, but rather to use other techniques to limit their admin rights to creating objects specific OUs.
For example, at many companies, lowly helpdesk personnel have the ability to create objects in a special OU just for them, including user objects. By virtue of being able to create an account named 'root' (assuming one doesn't already exist), a helpdesk person can now administer Linux boxes joined to AD.