Under some configurations AD admin users can become root

I have forwarded this to upstream likewise-open and am awaiting a response.

This does seem like a bug and we will investigate this. But we don't feel it is a security bug but more of a misconfiguration bug. Joining a machine to AD gives the AD administrator privileges on that machine and to anyone they delegate AD administrator privileges.

Note that the documentation https://help.ubuntu.com/10.04/serverguide/C/samba-ad-integration.html is incorrect regarding likewise-open -- it does not use secrets.tdb anymore (except in some cases where users have configured a likewise-open--samba integration piece).

Thanks Scott. I am going to mark this as Confirmed for now. Should this bug remain private?

I don't think this bug should remain private but I'm not sure how you normally make that decision. The administrators of the systems in question could take actions such that this is not a problem (i.e., remove domain\root) yet still allow the majority of users go about their business.

Ok, let's wait for the reporter to comment. If we don't hear anything back by Sept 5th (1 week), let's make this public (I don't see anything in this bug report that would disclose information on the reporter (his name and LP account seem sufficiently anonymized)).

Hello All,

Thank you for your attention into this. From somebody who has worked in both very large and small mixed Linux/Windows environments, I think this is actually quite serious, for the following reasons:

1. Most larger companies have a separate set of administrators for their UNIX/Linux and Windows environments, I don't think making the bug public is in the best interest of any business users of Likewise-Open, since there could be a compliance issue in giving the Windows admins a theoretical way to access the data on Linux servers that they may not normally have admin rights to.

2. The Windows environment is more prone to being compromised, if a hacker gains admin access to an AD domain at a company that uses Likwise-Open extensively, then you've also just handed them the Linux environment on a silver platter.

3. I believe there may potentially be other serious exploits to be had from this, such as impersonating Apache/Postgres/MySQL/Samba/etc... users to compromise various other systems. I'm just speculating, however, I've not tried any of this in practice.

IMHO, there's no good reason to make the bug public, since it's not likely to adversely affect anybody's use of the software. However, you don't need to keep it private on my behalf, I'm not using it in any mission-critical capacity at this point in time.

1. Joining a machine to AD gives the Windows admins more than a theoretical way to access Linux servers -- that's what it is for! Our enterprise product makes that even clearer by offering mechanisms where the AD admin can configure whatever they feel like on Unix systems. In environments where there is a compliance requirement that these non-Windows machines be not accessible to the Windows AD administrators, then a separate domain must be set up administered by the Unix admins.

2. Yes -- that's the risk of joining to AD.

3. Yes, we call this aliasing and we've tried to make it a feature. The problem we face is that different OSes use the pam stack and other mechanisms in such different ways that we've don't have a single comprehensive way of fixing everything at one time. We do not recommend having AD accounts overlap names with local Unix accounts, but we have customers that choose to do so and take advantage of the behavior they find.

I filed this bug about 2.5 months ago, when I first started evaluating Ubuntu at my new job. After about a week, I decided against joining any Ubuntu machines to Active Directory, after coming to the conclusion that I didn't really want or need AD integration on my Linux machines at this point in time.

In light of the fact I haven't really touched Likewise in over 2 months, I kind of threw the last response together quickly without thinking it though, let me clarify my concerns.

Joining to AD: I initially wanted to be able to log in with any AD account, but I had a specific AD group of users listed in the /etc/sudoers file, so by default any other AD user wouldn't be a sudoer. I didn't want just anybody with Windows admin access to be able to gain root access to the Linux box(being foremost concerned about somebody hijacking an AD admin account). This bug/feature allows just that.

As I said, I don't really have a dog in this fight anymore, because I'm not currently using Likewise(although I may consider it later if I find a need for it), so I'll leave it entirely up to you as to how to handle the classification of the bug.

Actually, let me re-clarify one more point:

AD admin users with access to the *NIX groups OU could add people to that AD sudoers group, however, the group itself isn't advertised as offering that functionality, so that's the "security through obscurity" approach. However, the ability to gain access to that OU is limited to Domain and Enterprise Admin accounts, which is not most AD administrators, as the best practice is to NOT give all of your AD admin folks Domain Admin accounts, but rather to use other techniques to limit their admin rights to creating objects specific OUs.

For example, at many companies, lowly helpdesk personnel have the ability to create objects in a special OU just for them, including user objects. By virtue of being able to create an account named 'root' (assuming one doesn't already exist), a helpdesk person can now administer Linux boxes joined to AD.

This was to be made public yesterday. Scott, do Jeff's comments change upstream's position on making this public?

Nope, our position is unchanged and we believe this should be public.