From owner-freebsd-questions Wed Oct 4 19:51:14 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-149-77.mmcable.com [24.27.149.77]) by hub.freebsd.org (Postfix) with SMTP id 9FB2937B502 for ; Wed, 4 Oct 2000 19:51:12 -0700 (PDT) Received: (qmail 25844 invoked by uid 100); 5 Oct 2000 02:51:11 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14811.60575.915025.704286@guru.mired.org> Date: Wed, 4 Oct 2000 21:51:11 -0500 (CDT) To: "Dan Mahoney, System Admin" Cc: questions@freebsd.org Subject: Re: Securing SU In-Reply-To: <37074764@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dan Mahoney, System Admin writes: > On Wed, 4 Oct 2000, roman wrote: > > > > I was wondering if there was a way to configure su so that it would > > > disallow a user access if they're telnetted in. (but, say, allow them if > > > they have sshed in). > > what about sudo? > > better than su, because you get to control who gets to do what as root. > Oh, I have four people who have root, and need it. My web guy, my cgi > guy, myself and my assistant...All of us need full root, and all are > trusted (in fact one is a cousin and one is a fiancee). Looks like a web server. If it's internet and not intranet, turning off telnet should have been before it went production. I wouldn't be surprised if those were the only four people who needed access to the machine, which makes that straightforward. Since I'm on the soapbox, I have to wonder why the web & cgi guys need root access. The web stuff should all be owned by some user (not root) (or group). Access to that user (group) should be all they need - except for stopping and starting the server (damn Unix "privileged ports"). The latter is an ideal use for sudo. I've set up this kind of thing for outside contractors doing development on boxes I was responsible for. Yes, they bitched about it, and yes, it was a bit more work for me to set up - but I slept better at night knowing the clowns in question could only screw up *their* stuff.