From owner-freebsd-questions@FreeBSD.ORG Thu Dec 29 17:58:11 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1047A106564A for ; Thu, 29 Dec 2011 17:58:11 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 9F26C8FC08 for ; Thu, 29 Dec 2011 17:58:10 +0000 (UTC) Received: from r56.edvax.de (port-92-195-26-82.dynamic.qsc.de [92.195.26.82]) by mx01.qsc.de (Postfix) with ESMTP id B8E713CB2B; Thu, 29 Dec 2011 18:58:09 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id pBTHw917002227; Thu, 29 Dec 2011 18:58:09 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 29 Dec 2011 18:58:09 +0100 From: Polytropon To: Carl Johnson Message-Id: <20111229185809.0b28e71f.freebsd@edvax.de> In-Reply-To: <87y5tvcn9a.fsf@oak.localnet> References: <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd> <87y5tvcn9a.fsf@oak.localnet> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: OT: Root access policy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 17:58:11 -0000 On Thu, 29 Dec 2011 09:15:45 -0800, Carl Johnson wrote: > Damien Fleuriot writes: > > > On 12/29/11 10:58 AM, Polytropon wrote: > >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: > >>> For the first time, a customer is asking me for root access to said > >>> customer's servers. > >> > > >>> Assuming that I'll be asked to continue administering said servers, I guess > >>> I should at least enable accounting... > >> > >> You could have better success using sudo. Make sure > >> the customer is allowed to "sudo ". The > >> sudo program will log _all_ things the customer > >> does, so you can be sure you can review actions. > >> Furthermore you don't need to give him the _real_ > >> root password. He won't be able to "su root" or > >> to login as root, _real_ root. But he can use > >> the "sudo" prefix to issue commands "with root > >> privileges". > >> > > > > "sudo su -" or "sudo sh" and the customer gets a native root shell which > > does *not* log commands ! > > The sudoers manpage mention the noexec option which is designed to help > with the first problem. They also show an example using !SHELLS which > can help with the second. It's also worth mentioning "super" again - as an alternative to "sudo". But after all, if restricted in any way, both of them are _not_ requivalent to "full root access" (equals: root + root's password) which the customer initially demanded. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...