From owner-freebsd-questions@FreeBSD.ORG Sat Jun 12 13:30:38 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D21916A4CE for ; Sat, 12 Jun 2004 13:30:38 +0000 (GMT) Received: from server0.itconsultuk.net (server0.itconsultuk.net [80.168.17.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0D7A43D39 for ; Sat, 12 Jun 2004 13:30:37 +0000 (GMT) (envelope-from jfm@server0.itconsultuk.net) Received: from jfm by server0.itconsultuk.net with local (Exim 4.24; FreeBSD 4.8) id 1BZ8a0-000NAA-4h for freebsd-questions@freebsd.org; Sat, 12 Jun 2004 14:29:52 +0100 Date: Sat, 12 Jun 2004 14:29:52 +0100 From: John To: freebsd-questions@freebsd.org Message-ID: <20040612132952.GC87930@itconsultuk.net> References: <20040612101402.GC72289@itconsultuk.net> <20040612115959.GW76275@caffreys.strugglers.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040612115959.GW76275@caffreys.strugglers.net> User-Agent: Mutt/1.4.1i Sender: John Subject: Re: want sudo but not sudo su - how X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 13:30:38 -0000 On Sat, Jun 12, 2004 at 11:59:59AM +0000, Andy Smith wrote: > It might be best to just say "I don't want you doing this" and then > punish people who do, since you do have logs. yeah, thought this might be the case :| thanks for confirming it. > If you're trying to restrict what people can do with sudo it will be > better to explicitly list each binary they can run as root and make > sure there's no way they can modify those binaries. yeah, but too many binaries (or roles too diffuse, tightening up of which would be another way of handling it) cheers -- John