Environment
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
Novell Remote Manager
Novell Open Enterprise Server (Linux based)
Situation
The default behavior of Novell Remote Manager allows users with
supervisor rights to the LUM workstation objects to login to Novell
Remote Manager and gain root access to the Linux file system.
For purposes of this document an eDirectory administrator account is a user given supervisor rights in the eDirectory tree.
There are configuration options for Novell Remote Manager to limit certain kinds of users from logging into Novell Remote Manager but no options to allow granular definition of which eDirectory administration accounts can get root access. See the documentation for Novell Remote Manager configuration options. https://www.novell.com/documentation/oes/index.html?page=/documentation/oes/remotemgr_lx/data/front.html#front
For purposes of this document an eDirectory administrator account is a user given supervisor rights in the eDirectory tree.
There are configuration options for Novell Remote Manager to limit certain kinds of users from logging into Novell Remote Manager but no options to allow granular definition of which eDirectory administration accounts can get root access. See the documentation for Novell Remote Manager configuration options. https://www.novell.com/documentation/oes/index.html?page=/documentation/oes/remotemgr_lx/data/front.html#front
Resolution
Any approach to rights assignments in eDirectory which will
restrict supervisor access to the LUM workstation objects will
prevent undesired root access for eDirectory administration
accounts.
EXAMPLE 1:
Assign supervisor rights to eDirectory administration accounts only in specific containers.
EXAMPLE 2:
Place LUM workstation objects in a container were supervisor rights are restricted.
To check rights of users to LUM workstation objects:
(iManager)
Choose Rights | View Effective Rights
Enter the user account to be checked
Browse to the LUM workstation object to be checked in the Object Name field
Effective rights for the user for each Property selected will be displayed in the Effective rights window.
EXAMPLE 1:
Assign supervisor rights to eDirectory administration accounts only in specific containers.
EXAMPLE 2:
Place LUM workstation objects in a container were supervisor rights are restricted.
To check rights of users to LUM workstation objects:
(iManager)
Choose Rights | View Effective Rights
Enter the user account to be checked
Browse to the LUM workstation object to be checked in the Object Name field
Effective rights for the user for each Property selected will be displayed in the Effective rights window.
Status
Security AlertChange Log
2012-02-07 - Jan Kalcic - Fixed wrong syntax (double http://) in the link to the documentation