From owner-freebsd-questions@FreeBSD.ORG Tue Jul 24 19:41:58 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C4DA16A418 for ; Tue, 24 Jul 2007 19:41:58 +0000 (UTC) (envelope-from jjfitzgerald@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.190]) by mx1.freebsd.org (Postfix) with ESMTP id 8CF6E13C469 for ; Tue, 24 Jul 2007 19:41:57 +0000 (UTC) (envelope-from jjfitzgerald@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so2298471mue for ; Tue, 24 Jul 2007 12:41:56 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gZ4DlqGKdSQ8VVAAmsBD+bT57qEXnL7wHvhfLVf+LG2ANu9ujuM7rDv+AO9vDDWurMbUVB9zrXBp3DZA/48G1Lo8foe+wuoBnz61VUgi5lPHc7g5JxO+qjzVXr+n5gh9mv2sEmrTfM6X3oKkA9snL2oJbRwdlF6dWd9WWIWPVnA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nZVlUZ+lscobj1jNegsrNVdmj80IUmd70iM9ilrd/Ihq02l2PJDCGQJ5YMvoQ4SemUBnk0FKPO1oJqw7EwAnFh7zOXE/CroyxKvpX9WY1lrZLtCvxjRUIOBGhsxAjX2erVeSYt5mlssuMWnUMRZBoaYb5E/u/QsZMxgY0AobyKQ= Received: by 10.82.116.15 with SMTP id o15mr3590062buc.1185306115953; Tue, 24 Jul 2007 12:41:55 -0700 (PDT) Received: by 10.82.162.9 with HTTP; Tue, 24 Jul 2007 12:41:55 -0700 (PDT) Message-ID: <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> Date: Tue, 24 Jul 2007 15:41:55 -0400 From: "John Fitzgerald" To: "Tom Grove" In-Reply-To: <46A652D7.4030001@voidmain.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> Cc: freebsd-questions@freebsd.org, Ian Lord Subject: Re: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 19:41:58 -0000 I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. On 7/24/07, Tom Grove wrote: > Lowell Gilbert wrote: > > Tom Grove writes: > > > > > >> You could even go so far as to limit what he can use sudo on. > >> > >> $>man sudo > >> > >> Giving him full root access is probably not a good idea. > >> > > > > In practice, this approach *is* effectively giving him full root > > access. Once you have to give the tech the ability to edit root-owned > > files, you have to trust his honesty. > Once any kind of local access is given to a user trust becomes an issue; > regardless of root access or not. By only allowing a certain set of > commands there would still need to be a great deal of cracking to gain > more access. If one just gives out root access no more would need to be > done. This is where sudo is unlike root access. > > There are some important > > advantages to doing it through sudo, though: one is that it makes it > > easy for the user to keep track of just the root-privileged commands, > > and another is that it's easier for the user to avoid shooting himself > > in the foot. > > > Other advantages to sudo are not having to give out the root password. > A possible solution may be using sudo and watch together. > > To watch everything done by the remote-connected tech, the most > > complete approach is probably watch(8), which is a much simpler way of > > getting everything typed on a particular tty. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > While I agree that any kind of raised privilege may not be the best > idea, if it is necessary, sudo adds a layer of protection you do not get > with straight root. > > -Tom > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >