Date: Tue, 24 Jul 2007 17:26:53 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: Vince Hoffman-Kazlauskas <jhary@unsane.co.uk> Cc: freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca> Subject: Re: Root access loggin Message-ID: <118BCC3A40B82CA3176858BC@utd59514.utdallas.edu> In-Reply-To: <46A6768F.3040408@unsane.co.uk> References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu> <46A6768F.3040408@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========707DD4882130F668690B========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Tuesday, July 24, 2007 23:00:47 +0100 Vince Hoffman-Kazlauskas=20 <jhary@unsane.co.uk> wrote: > \ \ Paul Schmehl wrote: >> --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord >> <mailing-lists@msdi.ca> wrote: >> >>> >>> >>> -----Original Message----- >>> From: John Fitzgerald [mailto:jjfitzgerald@gmail.com] >>> Sent: 24 juillet 2007 15:42 >>> To: Tom Grove >>> Cc: freebsd-questions@freebsd.org; Ian Lord >>> Subject: Re: Root access loggin >>> >>> I may be misunderstanding this, but wouldn't allowing only certain >>> commands with sudo assume that the user actually knows what commands >>> are needed by the user? In this situation it seems like the whole >>> reason to grant access to the server was because the user _doesn't_ >>> know what needs to be done. >>> ~~ >>> >>> Exactly, I don't know what needs to be done, and they don't neither. >>> That's why they need to browse around trying to figure out why their >>> installer doesn't work. >>> >>> Sudo wouldn't be any help here cause I would need to pre approve >>> commands >>> and I don't know which one will be needed. >>> >> You seem to have a mistaken understanding of sudo. You can grant them >> access to everything that root has simply by adding their account to >> the wheel group and using visudo to grant wheel access to everything >> that root has access to. You can do this with or without a >> requirement to type your password when you use sudo. >> >> This will allow them to do everything they want while logging every >> command they type. And that seems to be exactly what you want. So, >> rather than giving them the root password, create an account for them, >> add it to the wheel group and use visudo to edit >> /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT >> edit the file with vi!) >> >> To add the wheel group to a user: >> pw usermod username -G wheel >> >> Granting access to wheel should be self-explanatory: >> >> # Uncomment to allow people in group wheel to run all commands >> %wheel ALL=3D(ALL) ALL >> # %wheel ALL=3D(ALL) NOPASSWD: ALL >> >> That way everything they do is logged, and you don't have to >> compromise your root password. >> > The problem here is that the first command I type in this situation if i > need to run multiple commands as root it sudo su - > after that nothing is logged. I agree with Lowell that watch(8) is > probably the way to go. > Well sure, but then you have a log entry where the vendor's tech clearly=20 tried to circumvent your restrictions. That's cause for immediate=20 revocation of access and escalation of the issue to the vendor. (Not that=20 you shouldn't use watch!) --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========707DD4882130F668690B==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?118BCC3A40B82CA3176858BC>