Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Jun 1999 22:27:34 +0300
From:      Evren Yurtesen <yurtesen@ispro.net.tr>
To:        "Jackson, Douglas H" <douglas.h.jackson@intel.com>, freebsd-security@freebsd.org
Subject:   how to keep track of root users?
Message-ID:  <377A6FA6.2967F7E1@ispro.net.tr>
References:  <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com>

next in thread | previous in thread | raw e-mail | index | archive | help
what is su2?
in our system there are multiple people who are logging in as root and
I want to keep track of what they are doing when they are root,
how can I do that?

"Jackson, Douglas H" wrote:

> There are a number of ways to deal with a lost root password.
>
> You can always boot to single user mode with no password. I guess a drawback
> is that it requires a bit of down time while you do the reboot, and change
> the password. But if your system is so insecure that you are loosing your
> root passwords, you probably have lots of downtime anyway.
>
> You could also use su2, which would allow you to have a number of different
> passwords which each allow you root access.  If you're loosing track of the
> current root because multiple people are all using su from time-to-time,
> then this is probably a better bet for you anyway.
>
> Doug
>
> > -----Original Message-----
> > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net]
> > Sent: Wednesday, June 30, 1999 11:30 AM
> > To: Anil Jangity
> > Cc: freebsd-security@FreeBSD.ORG
> > Subject: Re: kill!!!
> >
> >
> > On Wed, 30 Jun 1999, Anil Jangity wrote:
> >
> > > I was wondering, is it possible/safe to make kill(1) to not
> > allow it to
> > > kill a root process run from the console? Only the console
> > should be able
> > > to kill those processes and no one else.
> > >
> > > The reason is, I leave a root login on the console at all
> > times... just
> > > incase something stupid happens like the passwd is changed
> > for root or you
> > > can no longer su to root etc because of a compromise or
> > whatever, but if
> > > you have a logged in root already, it'll be easy to fix those. I was
> > > thinking making kill not be able to kill the shell after it
> > was hacked
> > > etc. <rambling>
> >
> > If you really wanted to, you could probalb implement that
> > feature, but I
> > think it would require a higher secure level.  In reality,
> > it's probably a
> > waste of time for your purposes.  See the commit message
> > below (this was
> > also comitted to the RELENG_3 branch):
> >
> > --<cut>--
> > peter       1999/04/03 20:36:50 PST
> >
> >   Modified files:
> >     libexec/getty        gettytab.5 gettytab.h init.c main.c
> >   Log:
> >   Add an 'al' (autologin username) capability to
> > getty/gettytab.  This is a
> >   damn useful thing for using with serial consoles in
> > clusters etc or secure
> >   console locations.  Using a custom gettytab entry for console with
> >   an entry like 'al=root' means that there is *always* a root
> > login ready on
> >   the console.  This should replace hacks like those which go
> > with conserver
> >   etc.  (This is a loaded gun, watch out for those feet!)
> >
> >   Submitted by:  "Andrew J. Korty" <ajk@purdue.edu>
> > --<cut>--
> >
> > -- Brooks
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?377A6FA6.2967F7E1>