Date: Wed, 30 Jun 1999 22:27:34 +0300 From: Evren Yurtesen <yurtesen@ispro.net.tr> To: "Jackson, Douglas H" <douglas.h.jackson@intel.com>, freebsd-security@freebsd.org Subject: how to keep track of root users? Message-ID: <377A6FA6.2967F7E1@ispro.net.tr> References: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
what is su2? in our system there are multiple people who are logging in as root and I want to keep track of what they are doing when they are root, how can I do that? "Jackson, Douglas H" wrote: > There are a number of ways to deal with a lost root password. > > You can always boot to single user mode with no password. I guess a drawback > is that it requires a bit of down time while you do the reboot, and change > the password. But if your system is so insecure that you are loosing your > root passwords, you probably have lots of downtime anyway. > > You could also use su2, which would allow you to have a number of different > passwords which each allow you root access. If you're loosing track of the > current root because multiple people are all using su from time-to-time, > then this is probably a better bet for you anyway. > > Doug > > > -----Original Message----- > > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > > Sent: Wednesday, June 30, 1999 11:30 AM > > To: Anil Jangity > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: kill!!! > > > > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > > > I was wondering, is it possible/safe to make kill(1) to not > > allow it to > > > kill a root process run from the console? Only the console > > should be able > > > to kill those processes and no one else. > > > > > > The reason is, I leave a root login on the console at all > > times... just > > > incase something stupid happens like the passwd is changed > > for root or you > > > can no longer su to root etc because of a compromise or > > whatever, but if > > > you have a logged in root already, it'll be easy to fix those. I was > > > thinking making kill not be able to kill the shell after it > > was hacked > > > etc. <rambling> > > > > If you really wanted to, you could probalb implement that > > feature, but I > > think it would require a higher secure level. In reality, > > it's probably a > > waste of time for your purposes. See the commit message > > below (this was > > also comitted to the RELENG_3 branch): > > > > --<cut>-- > > peter 1999/04/03 20:36:50 PST > > > > Modified files: > > libexec/getty gettytab.5 gettytab.h init.c main.c > > Log: > > Add an 'al' (autologin username) capability to > > getty/gettytab. This is a > > damn useful thing for using with serial consoles in > > clusters etc or secure > > console locations. Using a custom gettytab entry for console with > > an entry like 'al=root' means that there is *always* a root > > login ready on > > the console. This should replace hacks like those which go > > with conserver > > etc. (This is a loaded gun, watch out for those feet!) > > > > Submitted by: "Andrew J. Korty" <ajk@purdue.edu> > > --<cut>-- > > > > -- Brooks > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?377A6FA6.2967F7E1>