Date: Tue, 24 Jul 2007 14:41:10 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Tom Grove <freebsd@voidmain.net> Cc: freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca> Subject: Re: Root access loggin Message-ID: <444pjt3ard.fsf@be-well.ilk.org> In-Reply-To: <46A63689.80906@voidmain.net> (Tom Grove's message of "Tue\, 24 Jul 2007 13\:27\:37 -0400") References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Grove <freebsd@voidmain.net> writes: > You could even go so far as to limit what he can use sudo on. > > $>man sudo > > Giving him full root access is probably not a good idea. In practice, this approach *is* effectively giving him full root access. Once you have to give the tech the ability to edit root-owned files, you have to trust his honesty. There are some important advantages to doing it through sudo, though: one is that it makes it easy for the user to keep track of just the root-privileged commands, and another is that it's easier for the user to avoid shooting himself in the foot. To watch everything done by the remote-connected tech, the most complete approach is probably watch(8), which is a much simpler way of getting everything typed on a particular tty.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444pjt3ard.fsf>