From owner-freebsd-questions@FreeBSD.ORG Tue Jul 24 20:23:53 2007 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B7D616A417 for <freebsd-questions@freebsd.org>; Tue, 24 Jul 2007 20:23:53 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id 0F05E13C474 for <freebsd-questions@freebsd.org>; Tue, 24 Jul 2007 20:23:53 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 92C72654F2; Tue, 24 Jul 2007 15:23:52 -0500 (CDT) Date: Tue, 24 Jul 2007 15:23:52 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: Ian Lord <mailing-lists@msdi.ca>, freebsd-questions@freebsd.org Message-ID: <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu> In-Reply-To: <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========F54B089278403B3218CA==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 24 Jul 2007 20:23:53 -0000 --==========F54B089278403B3218CA========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <mailing-lists@msdi.ca> = wrote: > > > -----Original Message----- > From: John Fitzgerald [mailto:jjfitzgerald@gmail.com] > Sent: 24 juillet 2007 15:42 > To: Tom Grove > Cc: freebsd-questions@freebsd.org; Ian Lord > Subject: Re: Root access loggin > > I may be misunderstanding this, but wouldn't allowing only certain > commands with sudo assume that the user actually knows what commands > are needed by the user? In this situation it seems like the whole > reason to grant access to the server was because the user _doesn't_ > know what needs to be done. > ~~ > > Exactly, I don't know what needs to be done, and they don't neither. > That's why they need to browse around trying to figure out why their > installer doesn't work. > > Sudo wouldn't be any help here cause I would need to pre approve commands > and I don't know which one will be needed. > You seem to have a mistaken understanding of sudo. You can grant them=20 access to everything that root has simply by adding their account to the=20 wheel group and using visudo to grant wheel access to everything that root=20 has access to. You can do this with or without a requirement to type your=20 password when you use sudo. This will allow them to do everything they want while logging every command = they type. And that seems to be exactly what you want. So, rather than=20 giving them the root password, create an account for them, add it to the=20 wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel=20 access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=3D(ALL) ALL # %wheel ALL=3D(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise=20 your root password. --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========F54B089278403B3218CA==========--