From owner-freebsd-security Wed Jun 30 14:15:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from kinetic.tiora.net (kinetic.tiora.net [206.251.130.15]) by hub.freebsd.org (Postfix) with ESMTP id 508D415737 for ; Wed, 30 Jun 1999 14:15:51 -0700 (PDT) (envelope-from liam@kinetic.tiora.net) Received: from localhost (liam@localhost) by kinetic.tiora.net (8.9.3/8.9.3) with ESMTP id OAA09050; Wed, 30 Jun 1999 14:13:26 -0700 (PDT) Date: Wed, 30 Jun 1999 14:13:26 -0700 (PDT) From: Liam Slusser To: Evren Yurtesen Cc: "Jackson, Douglas H" , freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? In-Reply-To: <377A6FA6.2967F7E1@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try sudo. ;) You can find it in the ports under security/sudo. It will allow you to do all sorta of neato stuff. From allow one person to only run a single program to allow another to do anything he/her wants. liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Wed, 30 Jun 1999, Evren Yurtesen wrote: > what is su2? > in our system there are multiple people who are logging in as root and > I want to keep track of what they are doing when they are root, > how can I do that? > > "Jackson, Douglas H" wrote: > > > There are a number of ways to deal with a lost root password. > > > > You can always boot to single user mode with no password. I guess a drawback > > is that it requires a bit of down time while you do the reboot, and change > > the password. But if your system is so insecure that you are loosing your > > root passwords, you probably have lots of downtime anyway. > > > > You could also use su2, which would allow you to have a number of different > > passwords which each allow you root access. If you're loosing track of the > > current root because multiple people are all using su from time-to-time, > > then this is probably a better bet for you anyway. > > > > Doug > > > > > -----Original Message----- > > > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > > > Sent: Wednesday, June 30, 1999 11:30 AM > > > To: Anil Jangity > > > Cc: freebsd-security@FreeBSD.ORG > > > Subject: Re: kill!!! > > > > > > > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > > > > > I was wondering, is it possible/safe to make kill(1) to not > > > allow it to > > > > kill a root process run from the console? Only the console > > > should be able > > > > to kill those processes and no one else. > > > > > > > > The reason is, I leave a root login on the console at all > > > times... just > > > > incase something stupid happens like the passwd is changed > > > for root or you > > > > can no longer su to root etc because of a compromise or > > > whatever, but if > > > > you have a logged in root already, it'll be easy to fix those. I was > > > > thinking making kill not be able to kill the shell after it > > > was hacked > > > > etc. > > > > > > If you really wanted to, you could probalb implement that > > > feature, but I > > > think it would require a higher secure level. In reality, > > > it's probably a > > > waste of time for your purposes. See the commit message > > > below (this was > > > also comitted to the RELENG_3 branch): > > > > > > ---- > > > peter 1999/04/03 20:36:50 PST > > > > > > Modified files: > > > libexec/getty gettytab.5 gettytab.h init.c main.c > > > Log: > > > Add an 'al' (autologin username) capability to > > > getty/gettytab. This is a > > > damn useful thing for using with serial consoles in > > > clusters etc or secure > > > console locations. Using a custom gettytab entry for console with > > > an entry like 'al=root' means that there is *always* a root > > > login ready on > > > the console. This should replace hacks like those which go > > > with conserver > > > etc. (This is a loaded gun, watch out for those feet!) > > > > > > Submitted by: "Andrew J. Korty" > > > ---- > > > > > > -- Brooks > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message