From owner-freebsd-security Wed Jun 30 12:31:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 6EFCA15230 for ; Wed, 30 Jun 1999 12:31:46 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-4-114.tku.netti.fi [195.16.219.115]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id WAA22605; Wed, 30 Jun 1999 22:31:31 +0300 Message-ID: <377A6FA6.2967F7E1@ispro.net.tr> Date: Wed, 30 Jun 1999 22:27:34 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: "Jackson, Douglas H" , freebsd-security@freebsd.org Subject: how to keep track of root users? References: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org what is su2? in our system there are multiple people who are logging in as root and I want to keep track of what they are doing when they are root, how can I do that? "Jackson, Douglas H" wrote: > There are a number of ways to deal with a lost root password. > > You can always boot to single user mode with no password. I guess a drawback > is that it requires a bit of down time while you do the reboot, and change > the password. But if your system is so insecure that you are loosing your > root passwords, you probably have lots of downtime anyway. > > You could also use su2, which would allow you to have a number of different > passwords which each allow you root access. If you're loosing track of the > current root because multiple people are all using su from time-to-time, > then this is probably a better bet for you anyway. > > Doug > > > -----Original Message----- > > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > > Sent: Wednesday, June 30, 1999 11:30 AM > > To: Anil Jangity > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: kill!!! > > > > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > > > I was wondering, is it possible/safe to make kill(1) to not > > allow it to > > > kill a root process run from the console? Only the console > > should be able > > > to kill those processes and no one else. > > > > > > The reason is, I leave a root login on the console at all > > times... just > > > incase something stupid happens like the passwd is changed > > for root or you > > > can no longer su to root etc because of a compromise or > > whatever, but if > > > you have a logged in root already, it'll be easy to fix those. I was > > > thinking making kill not be able to kill the shell after it > > was hacked > > > etc. > > > > If you really wanted to, you could probalb implement that > > feature, but I > > think it would require a higher secure level. In reality, > > it's probably a > > waste of time for your purposes. See the commit message > > below (this was > > also comitted to the RELENG_3 branch): > > > > ---- > > peter 1999/04/03 20:36:50 PST > > > > Modified files: > > libexec/getty gettytab.5 gettytab.h init.c main.c > > Log: > > Add an 'al' (autologin username) capability to > > getty/gettytab. This is a > > damn useful thing for using with serial consoles in > > clusters etc or secure > > console locations. Using a custom gettytab entry for console with > > an entry like 'al=root' means that there is *always* a root > > login ready on > > the console. This should replace hacks like those which go > > with conserver > > etc. (This is a loaded gun, watch out for those feet!) > > > > Submitted by: "Andrew J. Korty" > > ---- > > > > -- Brooks > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message