From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 00:35:35 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E9AFAA7 for ; Thu, 6 Dec 2012 00:35:35 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ea0-f182.google.com (mail-ea0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id C08958FC13 for ; Thu, 6 Dec 2012 00:35:34 +0000 (UTC) Received: by mail-ea0-f182.google.com with SMTP id a14so2793332eaa.13 for ; Wed, 05 Dec 2012 16:35:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=G04oVAsV9FcD5bzFtSaaJf2FsMAYnOcNwjiIxHjohEI=; b=J8OfVVfv1yNO/aoxCGE6pXNM4x409CCs7wmo/lFxpjFf9bTXT86ZgnfpTDbA/ZWiI7 xrJqWhPqFsTHOFTtOND+WOR1MzdCrdjnxZZc3hy6siD8toAQN1TRQ67RJ/qppnqFIZFV xL95UK5rzhwNasRHBwg6XoDeWRuaKxrRIDkwS0d34lUXNsvgGrSRskWCjeU80N+Mi1ok KHao5VeZtsVMqCppL7o2n9dnRJ2fTtJjzRYwRVnsheClZR+qO4P4wCxiHt5hlRRIqshj hrHXPfY4+KQ244ksH3kYD4YAdMztOjPlDuOsZPGeGoVggQ57vd5n2Ut3uSVOeQsMNIKH wREw== MIME-Version: 1.0 Received: by 10.14.176.66 with SMTP id a42mr66544134eem.34.1354754133566; Wed, 05 Dec 2012 16:35:33 -0800 (PST) Received: by 10.14.221.135 with HTTP; Wed, 5 Dec 2012 16:35:33 -0800 (PST) In-Reply-To: <50BFDD51.5000100@tundraware.com> References: <50BFD674.8000305@tundraware.com> <50BFDD51.5000100@tundraware.com> Date: Wed, 5 Dec 2012 16:35:33 -0800 Message-ID: Subject: Re: Somewhat OT: Is Full Command Logging Possible? From: Kurt Buff To: Tim Daneliuk Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 00:35:35 -0000 On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk wrote: > On 12/05/2012 05:44 PM, Kurt Buff wrote: >> >> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk >> wrote: >>> >>> I am working with an institution that today provides limited privilege >>> escalation >>> on their servers via very specific sudo rules. The problem is that the >>> administrators can do 'sudo su -'. >> >> >> >> >> sudo is misconfigured. >> >> man 5 sudoers and man 8 visudo >> >> >> >> Kurt >> > > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're > saying. Are you suggesting that there is a way to configure > sudo so that if someone does 'sudo su -' to become an admin, > sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. Since you say that the users are provided "limited privilege escalation on their servers via very specific sudo rules", it seems to me that one of three things is going wrong: o- Something is wrong with the configuration of sudoers if they can su to root when they shouldn't be able to do so o- Someone has misconceived what "limited privilege escalation on their servers via very specific sudo rules" actually means, and deliberately has it configured to allows users to su to root o- The users' accounts are already root equivalent, which, depending on the version and configuration of sudo, might give them the ability to sudo to root regardless of the contents of the sudoers file (see, for instance, the screen in FreeBSD when you perform 'cd /usr/ports/security/sudo' and then 'make config') Kurt