Date: Thu, 29 Dec 2011 09:15:45 -0800 From: Carl Johnson <carlj@peak.org> To: freebsd-questions@freebsd.org Subject: Re: OT: Root access policy Message-ID: <87y5tvcn9a.fsf@oak.localnet> In-Reply-To: <4EFC3FA3.1060603@my.gd> (Damien Fleuriot's message of "Thu, 29 Dec 2011 11:23:31 %2B0100") References: <CA%2BNe_iJfFK43CE%2BL2LHcqNSmv7AmRDYyAu4pXGFpd3QB%2By3p2w@mail.gmail.com> <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
Damien Fleuriot <ml@my.gd> writes: > On 12/29/11 10:58 AM, Polytropon wrote: >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: >>> For the first time, a customer is asking me for root access to said >>> customer's servers. >> <snip> >>> Assuming that I'll be asked to continue administering said servers, I guess >>> I should at least enable accounting... >> >> You could have better success using sudo. Make sure >> the customer is allowed to "sudo <command>". The >> sudo program will log _all_ things the customer >> does, so you can be sure you can review actions. >> Furthermore you don't need to give him the _real_ >> root password. He won't be able to "su root" or >> to login as root, _real_ root. But he can use >> the "sudo" prefix to issue commands "with root >> privileges". >> > > "sudo su -" or "sudo sh" and the customer gets a native root shell which > does *not* log commands ! The sudoers manpage mention the noexec option which is designed to help with the first problem. They also show an example using !SHELLS which can help with the second. -- Carl Johnson carlj@peak.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87y5tvcn9a.fsf>