From owner-freebsd-questions@FreeBSD.ORG Tue Jul 24 22:00:57 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CDF116A417 for ; Tue, 24 Jul 2007 22:00:57 +0000 (UTC) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (unknown [IPv6:2001:470:1f01:ffff::121]) by mx1.freebsd.org (Postfix) with ESMTP id 6FB1213C442 for ; Tue, 24 Jul 2007 22:00:56 +0000 (UTC) (envelope-from jhary@unsane.co.uk) Received: from [10.0.0.178] ([10.0.0.178]) (authenticated bits=0) by unsane.co.uk (8.14.0/8.14.0) with ESMTP id l6OLxffg025762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Jul 2007 22:59:42 +0100 (BST) (envelope-from jhary@unsane.co.uk) Message-ID: <46A6768F.3040408@unsane.co.uk> Date: Tue, 24 Jul 2007 23:00:47 +0100 From: Vince Hoffman-Kazlauskas User-Agent: Thunderbird 1.5.0.10 (X11/20070324) MIME-Version: 1.0 To: Paul Schmehl References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, Ian Lord Subject: Re: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 22:00:57 -0000 \ \ Paul Schmehl wrote: > --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord > wrote: > >> >> >> -----Original Message----- >> From: John Fitzgerald [mailto:jjfitzgerald@gmail.com] >> Sent: 24 juillet 2007 15:42 >> To: Tom Grove >> Cc: freebsd-questions@freebsd.org; Ian Lord >> Subject: Re: Root access loggin >> >> I may be misunderstanding this, but wouldn't allowing only certain >> commands with sudo assume that the user actually knows what commands >> are needed by the user? In this situation it seems like the whole >> reason to grant access to the server was because the user _doesn't_ >> know what needs to be done. >> ~~ >> >> Exactly, I don't know what needs to be done, and they don't neither. >> That's why they need to browse around trying to figure out why their >> installer doesn't work. >> >> Sudo wouldn't be any help here cause I would need to pre approve >> commands >> and I don't know which one will be needed. >> > You seem to have a mistaken understanding of sudo. You can grant them > access to everything that root has simply by adding their account to > the wheel group and using visudo to grant wheel access to everything > that root has access to. You can do this with or without a > requirement to type your password when you use sudo. > > This will allow them to do everything they want while logging every > command they type. And that seems to be exactly what you want. So, > rather than giving them the root password, create an account for them, > add it to the wheel group and use visudo to edit > /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT > edit the file with vi!) > > To add the wheel group to a user: > pw usermod username -G wheel > > Granting access to wheel should be self-explanatory: > > # Uncomment to allow people in group wheel to run all commands > %wheel ALL=(ALL) ALL > # %wheel ALL=(ALL) NOPASSWD: ALL > > That way everything they do is logged, and you don't have to > compromise your root password. > The problem here is that the first command I type in this situation if i need to run multiple commands as root it sudo su - after that nothing is logged. I agree with Lowell that watch(8) is probably the way to go. Vince