From owner-freebsd-questions@FreeBSD.ORG Thu Dec 29 18:05:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD4A8106564A for ; Thu, 29 Dec 2011 18:05:53 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id A28BE8FC14 for ; Thu, 29 Dec 2011 18:05:53 +0000 (UTC) Received: from pps.filterd (ltcfislmsgpa06 [127.0.0.1]) by ltcfislmsgpa06.fnfis.com (8.14.4/8.14.4) with SMTP id pBTHPoch027610; Thu, 29 Dec 2011 12:05:50 -0600 Received: from smtp.fisglobal.com ([10.132.206.17]) by ltcfislmsgpa06.fnfis.com with ESMTP id 120uuugcd0-56 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 29 Dec 2011 12:05:50 -0600 Received: from dtwin (10.14.152.15) by smtp.fisglobal.com (10.132.206.17) with Microsoft SMTP Server (TLS) id 14.1.323.3; Thu, 29 Dec 2011 12:05:48 -0600 From: Devin Teske To: "'Polytropon'" , "'Carl Johnson'" References: <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd> <87y5tvcn9a.fsf@oak.localnet> <20111229185809.0b28e71f.freebsd@edvax.de> In-Reply-To: <20111229185809.0b28e71f.freebsd@edvax.de> Date: Thu, 29 Dec 2011 10:05:58 -0800 Message-ID: <037601ccc654$84d8b950$8e8a2bf0$@fisglobal.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQHPbAPIfEGROQk6Re1X5Nfe/oRlLgITUR2oAoozgJwCBvLqZQJ4X9UPlaTowhA= Content-Language: en-us X-Originating-IP: [10.14.152.15] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.5.7110, 1.0.211, 0.0.0000 definitions=2011-12-29_06:2011-12-29, 2011-12-29, 1970-01-01 signatures=0 Cc: freebsd-questions@freebsd.org Subject: RE: OT: Root access policy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:05:54 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Polytropon > Sent: Thursday, December 29, 2011 9:58 AM > To: Carl Johnson > Cc: freebsd-questions@freebsd.org > Subject: Re: OT: Root access policy > > On Thu, 29 Dec 2011 09:15:45 -0800, Carl Johnson wrote: > > Damien Fleuriot writes: > > > > > On 12/29/11 10:58 AM, Polytropon wrote: > > >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: > > >>> For the first time, a customer is asking me for root access to > > >>> said customer's servers. > > >> > > > > >>> Assuming that I'll be asked to continue administering said > > >>> servers, I guess I should at least enable accounting... > > >> > > >> You could have better success using sudo. Make sure the customer is > > >> allowed to "sudo ". The sudo program will log _all_ things > > >> the customer does, so you can be sure you can review actions. > > >> Furthermore you don't need to give him the _real_ root password. He > > >> won't be able to "su root" or to login as root, _real_ root. But he > > >> can use the "sudo" prefix to issue commands "with root privileges". > > >> > > > > > > "sudo su -" or "sudo sh" and the customer gets a native root shell > > > which does *not* log commands ! > > > > The sudoers manpage mention the noexec option which is designed to > > help with the first problem. They also show an example using !SHELLS > > which can help with the second. > > It's also worth mentioning "super" again - as an alternative to "sudo". But after all, > if restricted in any way, both of them are _not_ requivalent to "full root access" > (equals: root + root's password) which the customer initially demanded. > I highly recommend reading audit(4) and then audit(8) (in that order). This will catch more security instances than simply relying on sudo(8) logging -- which won't catch any commands once the user has "become root" (ala "sudo su -" for example). Once upon a time (RELENG_4), we used a kernel module named "lrexec" which logged all system calls to exec(3) family of functions, but it was too verbose. audit(4) replaces our need for lrexec. -- Devin > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.