Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Dec 2012 19:01:21 -0600
From:      Tim Daneliuk <tundra@tundraware.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <50BFEE61.7070005@tundraware.com>
In-Reply-To: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
References:  <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/05/2012 06:35 PM, Kurt Buff wrote:
> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>
>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com>
>>> wrote:
>>>>
>>>> I am working with an institution that today provides limited privilege
>>>> escalation
>>>> on their servers via very specific sudo rules.  The problem is that the
>>>> administrators can do 'sudo su -'.
>>>
>>> <snip>
>>>
>>>
>>> sudo is misconfigured.
>>>
>>> man 5 sudoers and man 8 visudo
>>>
>>>
>>>
>>> Kurt
>>>
>>
>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>> saying.  Are you suggesting that there is a way to configure
>> sudo so that if someone does 'sudo su -' to become an admin,
>> sudo can be made to log every command they execute thereafter?
>
> No, I'm saying that sudo should not be configured to allow 'sudo su -'.
>
> Since you say that the users are provided "limited privilege
> escalation on their servers via very specific sudo rules", it seems to
> me that one of three things is going wrong:
>
> o- Something is wrong with the configuration of sudoers if they can su
> to root when they shouldn't be able to do so
>
> o- Someone has misconceived what "limited privilege escalation on
> their servers via very specific sudo rules" actually means, and
> deliberately has it configured to allows users to su to root
>
> o- The users' accounts are already root equivalent, which, depending
> on the version and configuration of sudo, might give them the ability
> to sudo to root regardless of the contents of the sudoers file (see,
> for instance, the screen in FreeBSD when you perform 'cd
> /usr/ports/security/sudo' and then 'make config')
>
> Kurt
>
Oh, OK, I wasn't being clear:

- *Some* users are granted the ability to do sudo su -  These
   are the sysadmins.

- All other user are given selective ability to run only a few
   things via sudo.  This varies by department and is controlled
   through a combination of sudo rules and central LDAP group
   membership control.  This is necessary because, for example,
   some DBAs need this when installing a particular client.

-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50BFEE61.7070005>