Date: Sat, 25 Oct 2008 15:50:10 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: root | su Message-ID: <200810251550.10531.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <4902453C.3010009@webrz.net> References: <172590.26774.qm@web56802.mail.re3.yahoo.com> <20081024211443.GA18056@icarus.home.lan> <4902453C.3010009@webrz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 24 October 2008 23:59, Jos Chrispijn wrote: > [Jeremy Chadwick said] > > You're trying to solve a social (possibly personal?) problem with > > technology. Simply put, this is a bad idea. > > Yep, I think that is .true. > > > I would highly recommend you either talk to "the idiot" and explain to > > him why what he's doing is improper or foolish, or simply pull his root > > access entirely. If this is a work-related incident, talk to your boss > > about it if at all possible (but see below). If you call the shots, > > simply yank their access. > > The idiot is the boss himself and acts like an unguided missile. > Just investigating before I give him a wake-up call. And that is exactly > what I will do... > > > Food for thought. Cheers! > > Love it, thanks for sharing (everyone)! I'm coming to this discussion a bit late, and in general it's true that you can't limit root's ability to read files, execute programs, fiddle with settings etc. What you can do, which has limited usefulness but might fit your specific case, is temporarily prevent root from using su to log in as another user without knowing their password. If you comment out (or remove entirely, which may slow down the other user even more, if they're unfamiliar with pam) the line auth sufficient pam_rootok.so no_warn in /etc/pam.d/su, root has to meet the same requirements as any other user before using su. Of course there's nothing to stop someone with root access from editing this file, but now the problem user has to actively subvert a measure that's been taken by another sysadmin - which may provide a better starting-point for a conversation about what they're up to. Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810251550.10531.jonathan%2Bfreebsd-questions>