Date: Wed, 4 Oct 2000 21:51:11 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: questions@freebsd.org Subject: Re: Securing SU Message-ID: <14811.60575.915025.704286@guru.mired.org> In-Reply-To: <37074764@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Mahoney, System Admin writes: > On Wed, 4 Oct 2000, roman wrote: > > > > I was wondering if there was a way to configure su so that it would > > > disallow a user access if they're telnetted in. (but, say, allow them if > > > they have sshed in). > > what about sudo? > > better than su, because you get to control who gets to do what as root. > Oh, I have four people who have root, and need it. My web guy, my cgi > guy, myself and my assistant...All of us need full root, and all are > trusted (in fact one is a cousin and one is a fiancee). Looks like a web server. If it's internet and not intranet, turning off telnet should have been before it went production. I wouldn't be surprised if those were the only four people who needed access to the machine, which makes that straightforward. Since I'm on the soapbox, I have to wonder why the web & cgi guys need root access. The web stuff should all be owned by some user (not root) (or group). Access to that user (group) should be all they need - except for stopping and starting the server (damn Unix "privileged ports"). The latter is an ideal use for sudo. I've set up this kind of thing for outside contractors doing development on boxes I was responsible for. Yes, they bitched about it, and yes, it was a bit more work for me to set up - but I slept better at night knowing the clowns in question could only screw up *their* stuff. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14811.60575.915025.704286>