Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 Dec 2012 10:26:14 +0100
From:      Fleuriot Damien <ml@my.gd>
To:        Kurt Buff <kurt.buff@gmail.com>
Cc:        Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <CF3B41F4-5B38-4468-914A-B73E7EBEDEB9@my.gd>
In-Reply-To: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
References:  <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff@gmail.com> wrote:

> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> =
wrote:
>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>=20
>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com>
>>> wrote:
>>>>=20
>>>> I am working with an institution that today provides limited =
privilege
>>>> escalation
>>>> on their servers via very specific sudo rules.  The problem is that =
the
>>>> administrators can do 'sudo su -'.
>>>=20
>>> <snip>
>>>=20
>>>=20
>>> sudo is misconfigured.
>>>=20
>>> man 5 sudoers and man 8 visudo
>>>=20
>>>=20
>>>=20
>>> Kurt
>>>=20
>>=20
>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>> saying.  Are you suggesting that there is a way to configure
>> sudo so that if someone does 'sudo su -' to become an admin,
>> sudo can be made to log every command they execute thereafter?
>=20
> No, I'm saying that sudo should not be configured to allow 'sudo su =
-'.


This is an ineffective solution.

So what, you're going to forbid "sudo su -"

Fine, I'll just run "sudo csh" .

If you forbid csh, I'll just copy the existing `which csh` to ~/toto and =
"sudo ~/toto" .



Basically, anything short of actually whitelisting what people can run =
won't do.

And apparently that's not in Tim's list of desirable things ;)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF3B41F4-5B38-4468-914A-B73E7EBEDEB9>