From owner-freebsd-questions@FreeBSD.ORG Tue Jul 24 19:28:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7114416A57D for ; Tue, 24 Jul 2007 19:28:40 +0000 (UTC) (envelope-from freebsd@voidmain.net) Received: from tiltup.nepinc.com (tiltup.nepinc.com [66.207.136.20]) by mx1.freebsd.org (Postfix) with ESMTP id DE56E13C461 for ; Tue, 24 Jul 2007 19:28:38 +0000 (UTC) (envelope-from freebsd@voidmain.net) Received: from haiti.nepinc.com (pgh.nepinc.com [66.207.129.50]) (authenticated bits=0) by tiltup.nepinc.com (8.13.8/8.13.4) with ESMTP id l6OJSakv084431; Tue, 24 Jul 2007 15:28:39 -0400 (EDT) (envelope-from freebsd@voidmain.net) Message-ID: <46A652D7.4030001@voidmain.net> Date: Tue, 24 Jul 2007 15:28:23 -0400 From: Tom Grove User-Agent: Thunderbird 2.0.0.4 (X11/20070618) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> In-Reply-To: <444pjt3ard.fsf@be-well.ilk.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Ian Lord Subject: Re: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 19:28:40 -0000 Lowell Gilbert wrote: > Tom Grove writes: > > >> You could even go so far as to limit what he can use sudo on. >> >> $>man sudo >> >> Giving him full root access is probably not a good idea. >> > > In practice, this approach *is* effectively giving him full root > access. Once you have to give the tech the ability to edit root-owned > files, you have to trust his honesty. Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access. > There are some important > advantages to doing it through sudo, though: one is that it makes it > easy for the user to keep track of just the root-privileged commands, > and another is that it's easier for the user to avoid shooting himself > in the foot. > Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together. > To watch everything done by the remote-connected tech, the most > complete approach is probably watch(8), which is a much simpler way of > getting everything typed on a particular tty. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root. -Tom