From owner-freebsd-questions  Fri Jul 30  9:22:34 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cobalt.novagate.net (cobalt.novagate.net [205.138.138.17])
	by hub.freebsd.org (Postfix) with ESMTP id 189D715199
	for <freebsd-questions@FreeBSD.ORG>; Fri, 30 Jul 1999 09:22:31 -0700 (PDT)
	(envelope-from xlogan@novagate.net)
Received: from cobalt (IDENT:xlogan@cobalt [205.138.138.17])
	by cobalt.novagate.net (8.9.2/8.8.7) with SMTP id MAA14722
	for <freebsd-questions@FreeBSD.ORG>; Fri, 30 Jul 1999 12:22:48 -0400 (EDT)
Date: Fri, 30 Jul 1999 12:22:47 -0400 (EDT)
From: x@asdf.com
X-Sender: xlogan@cobalt.novagate.net
To: freebsd-questions@FreeBSD.ORG
Subject: Re: how to watch the root user? or sudo security issue?
In-Reply-To: <Pine.BSF.4.05.9907191404520.331-100000@venus.GAIANET.NET>
Message-ID: <Pine.LNX.4.02A.9907301218430.13827-100000@cobalt.novagate.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Mon, 19 Jul 1999, Vincent Poy wrote:

> On Mon, 19 Jul 1999, Ilia Chipitsine wrote:
> 
> > look at the sudo program, it's in the ports collection.
> > it has a configuration, which describes which user is allowed 
> > to do tasks as a root.
> > 
> > but, once you gave somebody all the root's rights, it's not possible to
> > watch what he/she did. 
> > 
> > do not allow 'sudo' for 
> > 
> > 1. cp 
> > 2. rm
> > 3. dd
> > 4. passwd
> > 5. ? 

One thing I've noticed with sudo, if you give some access to pico or
another editor via sudo they could just edit the sudoers file and give
themselves whatever permissions they wanted to :-/ Not good.

-Dan



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message