Why is local root able to su to any LDAP user?

Steven asked:

We have an LDAP server set up with our Active Directory. When users login to a Linux machine with LDAP client installed as root, they are able to su – into any Active Directory account without needing that users password. This is a big security risk, does anyone know why this is or how to prevent this?

Preventing root access is not an option unfortunately as it is required by some users in some cases.

My answer:

This is standard Unix design and you can’t really prevent root from doing anything he wants.

A more secure design would have users use sudo and for the sudo configuration to allow users only to perform the specific tasks they need to perform. Unrestricted sudo should be limited to specific IT staff who need it for maintaining the servers, and the actual root password should be kept in a safe somewhere.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.