Date: Wed, 05 Dec 2012 19:01:21 -0600 From: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <50BFEE61.7070005@tundraware.com> In-Reply-To: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com> References: <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/05/2012 06:35 PM, Kurt Buff wrote: > On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> wrote: >> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>> >>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> >>> wrote: >>>> >>>> I am working with an institution that today provides limited privilege >>>> escalation >>>> on their servers via very specific sudo rules. The problem is that the >>>> administrators can do 'sudo su -'. >>> >>> <snip> >>> >>> >>> sudo is misconfigured. >>> >>> man 5 sudoers and man 8 visudo >>> >>> >>> >>> Kurt >>> >> >> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >> saying. Are you suggesting that there is a way to configure >> sudo so that if someone does 'sudo su -' to become an admin, >> sudo can be made to log every command they execute thereafter? > > No, I'm saying that sudo should not be configured to allow 'sudo su -'. > > Since you say that the users are provided "limited privilege > escalation on their servers via very specific sudo rules", it seems to > me that one of three things is going wrong: > > o- Something is wrong with the configuration of sudoers if they can su > to root when they shouldn't be able to do so > > o- Someone has misconceived what "limited privilege escalation on > their servers via very specific sudo rules" actually means, and > deliberately has it configured to allows users to su to root > > o- The users' accounts are already root equivalent, which, depending > on the version and configuration of sudo, might give them the ability > to sudo to root regardless of the contents of the sudoers file (see, > for instance, the screen in FreeBSD when you perform 'cd > /usr/ports/security/sudo' and then 'make config') > > Kurt > Oh, OK, I wasn't being clear: - *Some* users are granted the ability to do sudo su - These are the sysadmins. - All other user are given selective ability to run only a few things via sudo. This varies by department and is controlled through a combination of sudo rules and central LDAP group membership control. This is necessary because, for example, some DBAs need this when installing a particular client. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50BFEE61.7070005>