From owner-freebsd-questions Sun Jul 18 22:58:13 1999 Delivered-To: freebsd-questions@freebsd.org Received: from twwells.com (twwells.com [209.118.236.57]) by hub.freebsd.org (Postfix) with SMTP id A9FA414D2A for ; Sun, 18 Jul 1999 22:58:06 -0700 (PDT) (envelope-from news@twwells.com) Received: from news by twwells.com with local (Exim 1.71 #2) id 1166MH-0003Lg-00; Mon, 19 Jul 1999 01:53:01 -0400 From: bill@twwells.com (T. William Wells) To: freebsd-questions@freebsd.org Subject: Re: how to watch the root user? Message-ID: <7mue87$c87$1@twwells.com> References: <37765F16.EA06FF48@ispro.net.tr> Date: Mon, 19 Jul 1999 01:53:01 -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You cannot reliably do this. Someone with the root password can circumvent any monitoring you may put in place. It is a very bad idea to give out root logins to anyone who does not absolutely need to have it. Once you've done that, you've pretty much given them complete control over your system. Certainly, there are ways to discourage casual misuse of the root account but there is nothing you can do to protect yourself from a determined attempt to subvert your system by someone who has the root password. If you believe there are reasons why some people need root access, you should think through exactly _what_ access they need and then encapsulate that access in setuid programs or take advantage of various tools (like sudo) that allow controlled access to root facilities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message