From owner-freebsd-questions@FreeBSD.ORG  Wed Dec  5 23:44:11 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id D09C515C
 for <freebsd-questions@freebsd.org>; Wed,  5 Dec 2012 23:44:11 +0000 (UTC)
 (envelope-from kurt.buff@gmail.com)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
 by mx1.freebsd.org (Postfix) with ESMTP id 54B268FC0C
 for <freebsd-questions@freebsd.org>; Wed,  5 Dec 2012 23:44:11 +0000 (UTC)
Received: by mail-ee0-f54.google.com with SMTP id c13so4033084eek.13
 for <freebsd-questions@freebsd.org>; Wed, 05 Dec 2012 15:44:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=kUAOUwQT/nQ/9vTSXyd6maBZQRYCZ484dOS7OQn3ACw=;
 b=eRWuWFBqIAT/CLBZhnjvMC5qPfm+zFbTCse8UmwkjTZtiplpF3WQU8+hVgFqq/1nzQ
 7EYK0yDwpkriTvJ1mru02eTnRi4Exl9rr3qyWN9Cx0HavMgSFadkDM1V6KDAR5nOpd01
 hpbZn5dEs5W0yRhEiden5FSWkZJ7To/1TWmPUNb1ZRe6LLB58qPq2zh6Nn7Qwax1TrDp
 DODjV1LvJEchyFS9VbLv7fgBSltcr98O8T7Scyee02ifzM6IHZSuEHDGqvuTPrBOETed
 1n7KJeWd7JEqFGT6BhzDMQpGu8TBerUNeE8SMS9+Vvs7KaIW3Ql2sOUd70QngUKkoy2A
 KJAA==
MIME-Version: 1.0
Received: by 10.14.2.196 with SMTP id 44mr66163661eef.25.1354751050434; Wed,
 05 Dec 2012 15:44:10 -0800 (PST)
Received: by 10.14.221.135 with HTTP; Wed, 5 Dec 2012 15:44:10 -0800 (PST)
In-Reply-To: <50BFD674.8000305@tundraware.com>
References: <50BFD674.8000305@tundraware.com>
Date: Wed, 5 Dec 2012 15:44:10 -0800
Message-ID: <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com>
Subject: Re: Somewhat OT: Is Full Command Logging Possible?
From: Kurt Buff <kurt.buff@gmail.com>
To: Tim Daneliuk <tundra@tundraware.com>
Content-Type: text/plain; charset=UTF-8
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 23:44:11 -0000

On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
> I am working with an institution that today provides limited privilege
> escalation
> on their servers via very specific sudo rules.  The problem is that the
> administrators can do 'sudo su -'.
<snip>


sudo is misconfigured.

man 5 sudoers and man 8 visudo



Kurt