From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 19:54:28 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F142D3EE for ; Thu, 6 Dec 2012 19:54:28 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7BE748FC14 for ; Thu, 6 Dec 2012 19:54:28 +0000 (UTC) Received: by mail-ee0-f54.google.com with SMTP id c13so4717117eek.13 for ; Thu, 06 Dec 2012 11:54:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JNMTqnMKlpKX8040/bXRq3/m04qh6MawD80NITpwkGM=; b=TzQjdHKNSCcHIUxG7sxyPHyAvgUWuLrxFlFv0eafqYi+73D/FS/9QYwEa8bo9GeuQm fRamFiALsJpkCtlVlJo2iCzzzjfq28t26y27Rb74HPXVRz1T7s2B9ydSFVZutMTuCj/C EPl7pjhc445uo/I+e6l3xf47/rUgHTIJsEU6chyVG2zPQpvlrUGxbp4qnxebtGSqgLaJ 2pRMnbU7MHooZFf3+AwufXduovJzCH+KHKRmJRG0ZHn/juNBN+jfatFRkXCnixKUr8Ge N87b0zWs37/gvJSi5IBGbZD4fYMveJwutjTwngUbIdhVF3wTp5u2E8MNtNpV6uOWBY+H AeOQ== MIME-Version: 1.0 Received: by 10.14.176.66 with SMTP id a42mr8597425eem.34.1354823667203; Thu, 06 Dec 2012 11:54:27 -0800 (PST) Received: by 10.14.221.135 with HTTP; Thu, 6 Dec 2012 11:54:27 -0800 (PST) In-Reply-To: References: <50BFD674.8000305@tundraware.com> <50BFDD51.5000100@tundraware.com> Date: Thu, 6 Dec 2012 11:54:27 -0800 Message-ID: Subject: Fwd: Somewhat OT: Is Full Command Logging Possible? From: Kurt Buff To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: Damien Fleuriot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 19:54:29 -0000 Sorry, forgot to replay all... Kurt ---------- Forwarded message ---------- From: Kurt Buff Date: Thu, Dec 6, 2012 at 11:53 AM Subject: Re: Somewhat OT: Is Full Command Logging Possible? To: Fleuriot Damien On Thu, Dec 6, 2012 at 1:26 AM, Fleuriot Damien wrote: > > On Dec 6, 2012, at 1:35 AM, Kurt Buff wrote: > >> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk wrote: >>> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>> >>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk >>>> wrote: >>>>> >>>>> I am working with an institution that today provides limited privilege >>>>> escalation >>>>> on their servers via very specific sudo rules. The problem is that the >>>>> administrators can do 'sudo su -'. >>>> >>>> >>>> >>>> >>>> sudo is misconfigured. >>>> >>>> man 5 sudoers and man 8 visudo >>>> >>>> >>>> >>>> Kurt >>>> >>> >>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> saying. Are you suggesting that there is a way to configure >>> sudo so that if someone does 'sudo su -' to become an admin, >>> sudo can be made to log every command they execute thereafter? >> >> No, I'm saying that sudo should not be configured to allow 'sudo su -'. > > > This is an ineffective solution. > > So what, you're going to forbid "sudo su -" > > Fine, I'll just run "sudo csh" . > > If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" . > > > > Basically, anything short of actually whitelisting what people can run won't do. > > And apparently that's not in Tim's list of desirable things ;) Whitelisting commands is exactly what the sudoers file is for. If he wants to do otherwise, then he's using the wrong tool. Kurt