Date: Wed, 5 Dec 2012 16:35:33 -0800 From: Kurt Buff <kurt.buff@gmail.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com> In-Reply-To: <50BFDD51.5000100@tundraware.com> References: <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> wrote: > On 12/05/2012 05:44 PM, Kurt Buff wrote: >> >> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> >> wrote: >>> >>> I am working with an institution that today provides limited privilege >>> escalation >>> on their servers via very specific sudo rules. The problem is that the >>> administrators can do 'sudo su -'. >> >> <snip> >> >> >> sudo is misconfigured. >> >> man 5 sudoers and man 8 visudo >> >> >> >> Kurt >> > > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're > saying. Are you suggesting that there is a way to configure > sudo so that if someone does 'sudo su -' to become an admin, > sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. Since you say that the users are provided "limited privilege escalation on their servers via very specific sudo rules", it seems to me that one of three things is going wrong: o- Something is wrong with the configuration of sudoers if they can su to root when they shouldn't be able to do so o- Someone has misconceived what "limited privilege escalation on their servers via very specific sudo rules" actually means, and deliberately has it configured to allows users to su to root o- The users' accounts are already root equivalent, which, depending on the version and configuration of sudo, might give them the ability to sudo to root regardless of the contents of the sudoers file (see, for instance, the screen in FreeBSD when you perform 'cd /usr/ports/security/sudo' and then 'make config') Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA>