From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 09:26:17 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A526465D for ; Thu, 6 Dec 2012 09:26:17 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by mx1.freebsd.org (Postfix) with ESMTP id 2B51E8FC13 for ; Thu, 6 Dec 2012 09:26:16 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id 12so3602637wgh.31 for ; Thu, 06 Dec 2012 01:26:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=rLBtDA8rcXv2mV7gCRrkk2TdNV3/h3dpUpEnbvAwpB4=; b=auaflgf9J0g696x0Qb7CDAjkAAI0KRGrVTzug4/2XJa4jwrffC8wuhgFDi5wGiH9VT MHjPT1g23WZaJR0SzKVn4umDhIq2te/MD9u+Y317ebQtXVeYsx4w27KEh4gl/0siVjci EwOEkW0LtB3lt1vW0GwCrsulZff6JsEJVpExXdeCZU0zmFlo1MUlpmcsDM1grVUW0YKN 3I5zOdx8XTdmUPP0b5KGDJB4/Wj4smA5rk1zhOv9opBEmhcvFoblkCHTGaDlzzJhkCVN OMWagYhcqMd8k/5FVliVpLgGkAzssT2QnV1u3pdxMjsl4YbENwPzxeMNmOqRt8nIH3hL T1+A== Received: by 10.216.91.80 with SMTP id g58mr317716wef.150.1354785976153; Thu, 06 Dec 2012 01:26:16 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id i6sm22354310wix.5.2012.12.06.01.26.12 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 06 Dec 2012 01:26:14 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Somewhat OT: Is Full Command Logging Possible? From: Fleuriot Damien In-Reply-To: Date: Thu, 6 Dec 2012 10:26:14 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <50BFD674.8000305@tundraware.com> <50BFDD51.5000100@tundraware.com> To: Kurt Buff X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQlxvZK2D5jcOC9cZZTPs8vY3bSDdrkLu16WN/8fZw8nhM/Ga80Jcyo6/XuC5GpgfLFIQKsK Cc: Tim Daneliuk , FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 09:26:17 -0000 On Dec 6, 2012, at 1:35 AM, Kurt Buff wrote: > On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk = wrote: >> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>=20 >>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk >>> wrote: >>>>=20 >>>> I am working with an institution that today provides limited = privilege >>>> escalation >>>> on their servers via very specific sudo rules. The problem is that = the >>>> administrators can do 'sudo su -'. >>>=20 >>> >>>=20 >>>=20 >>> sudo is misconfigured. >>>=20 >>> man 5 sudoers and man 8 visudo >>>=20 >>>=20 >>>=20 >>> Kurt >>>=20 >>=20 >> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >> saying. Are you suggesting that there is a way to configure >> sudo so that if someone does 'sudo su -' to become an admin, >> sudo can be made to log every command they execute thereafter? >=20 > No, I'm saying that sudo should not be configured to allow 'sudo su = -'. This is an ineffective solution. So what, you're going to forbid "sudo su -" Fine, I'll just run "sudo csh" . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and = "sudo ~/toto" . Basically, anything short of actually whitelisting what people can run = won't do. And apparently that's not in Tim's list of desirable things ;)