From owner-freebsd-questions@FreeBSD.ORG Sat Jun 12 12:00:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AB3F16A4CE for ; Sat, 12 Jun 2004 12:00:28 +0000 (GMT) Received: from caffreys.strugglers.net (caffreys.strugglers.net [82.195.232.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFF0E43D2D for ; Sat, 12 Jun 2004 12:00:27 +0000 (GMT) (envelope-from andy@freebsdwiki.org) Received: by caffreys.strugglers.net (Postfix, from userid 10000) id 711E61117FA; Sat, 12 Jun 2004 11:59:59 +0000 (GMT) Date: Sat, 12 Jun 2004 11:59:59 +0000 From: Andy Smith To: freebsd-questions@freebsd.org Message-ID: <20040612115959.GW76275@caffreys.strugglers.net> Mail-Followup-To: freebsd-questions@freebsd.org References: <20040612101402.GC72289@itconsultuk.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2IK6idz0sKKouFF6" Content-Disposition: inline In-Reply-To: <20040612101402.GC72289@itconsultuk.net> X-Uptime: 14 days X-URL: http://freebsdwiki.org/User:Andy User-Agent: Mutt/1.5.6i Subject: Re: want sudo but not sudo su - how X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 12:00:28 -0000 --2IK6idz0sKKouFF6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 12, 2004 at 11:14:02AM +0100, John wrote: > Greetings, freebsd-questions >=20 > I want to put operators in sudo BUT I don't want them to sudo su - > because after they do that, subsequent commands enacted as root don't > appear in the logs. The desired behaviour would be sudo su command (any > command) but not sudo su -, for these users. Is there a way of enforcing > this? You might be able to do it by limiting the commands that are accessible to the person, but if they run any shell, or run any program that drops to a shell (e.g. one they wrote themselves in 2 minutes) then they would have an unrestricted root shell again. > The reason being that if they do something and the server eg goes > titsup, I want to see what was done in the logs. Would be grateful for > any assistance the list may have. It might be best to just say "I don't want you doing this" and then punish people who do, since you do have logs. If you're trying to restrict what people can do with sudo it will be better to explicitly list each binary they can run as root and make sure there's no way they can modify those binaries. --=20 http://freebsdwiki.org/ - Encrypted mail welcome - keyid 0xBF15490B --2IK6idz0sKKouFF6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyvA/IJm2TL8VSQsRAoETAKC103Q9qnMhDkgeqGr+Ict+B/6lOwCcCz8A xOLbB74pxUovbxRlBYwlT7U= =etZE -----END PGP SIGNATURE----- --2IK6idz0sKKouFF6--