Date: Sat, 12 Jun 2004 11:59:59 +0000 From: Andy Smith <andy@freebsdwiki.org> To: freebsd-questions@freebsd.org Subject: Re: want sudo but not sudo su - how Message-ID: <20040612115959.GW76275@caffreys.strugglers.net> In-Reply-To: <20040612101402.GC72289@itconsultuk.net> References: <20040612101402.GC72289@itconsultuk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--2IK6idz0sKKouFF6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 12, 2004 at 11:14:02AM +0100, John wrote: > Greetings, freebsd-questions >=20 > I want to put operators in sudo BUT I don't want them to sudo su - > because after they do that, subsequent commands enacted as root don't > appear in the logs. The desired behaviour would be sudo su command (any > command) but not sudo su -, for these users. Is there a way of enforcing > this? You might be able to do it by limiting the commands that are accessible to the person, but if they run any shell, or run any program that drops to a shell (e.g. one they wrote themselves in 2 minutes) then they would have an unrestricted root shell again. > The reason being that if they do something and the server eg goes > titsup, I want to see what was done in the logs. Would be grateful for > any assistance the list may have. It might be best to just say "I don't want you doing this" and then punish people who do, since you do have logs. If you're trying to restrict what people can do with sudo it will be better to explicitly list each binary they can run as root and make sure there's no way they can modify those binaries. --=20 http://freebsdwiki.org/ - Encrypted mail welcome - keyid 0xBF15490B --2IK6idz0sKKouFF6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyvA/IJm2TL8VSQsRAoETAKC103Q9qnMhDkgeqGr+Ict+B/6lOwCcCz8A xOLbB74pxUovbxRlBYwlT7U= =etZE -----END PGP SIGNATURE----- --2IK6idz0sKKouFF6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040612115959.GW76275>