From owner-freebsd-questions@FreeBSD.ORG Tue Jul 24 18:41:12 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C73D16A417 for ; Tue, 24 Jul 2007 18:41:12 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail6.sea5.speakeasy.net (mail6.sea5.speakeasy.net [69.17.117.8]) by mx1.freebsd.org (Postfix) with ESMTP id 694D113C458 for ; Tue, 24 Jul 2007 18:41:12 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 25676 invoked from network); 24 Jul 2007 18:41:12 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 24 Jul 2007 18:41:11 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 0DD9628440; Tue, 24 Jul 2007 14:41:10 -0400 (EDT) To: Tom Grove References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> From: Lowell Gilbert Date: Tue, 24 Jul 2007 14:41:10 -0400 In-Reply-To: <46A63689.80906@voidmain.net> (Tom Grove's message of "Tue\, 24 Jul 2007 13\:27\:37 -0400") Message-ID: <444pjt3ard.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.99 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org, Ian Lord Subject: Re: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2007 18:41:12 -0000 Tom Grove writes: > You could even go so far as to limit what he can use sudo on. > > $>man sudo > > Giving him full root access is probably not a good idea. In practice, this approach *is* effectively giving him full root access. Once you have to give the tech the ability to edit root-owned files, you have to trust his honesty. There are some important advantages to doing it through sudo, though: one is that it makes it easy for the user to keep track of just the root-privileged commands, and another is that it's easier for the user to avoid shooting himself in the foot. To watch everything done by the remote-connected tech, the most complete approach is probably watch(8), which is a much simpler way of getting everything typed on a particular tty.