From owner-freebsd-questions@FreeBSD.ORG Thu Dec 29 17:15:49 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3622D1065670 for ; Thu, 29 Dec 2011 17:15:49 +0000 (UTC) (envelope-from carlj@peak.org) Received: from redcondor1.peak.org (redcondor1.peak.org [69.59.192.54]) by mx1.freebsd.org (Postfix) with ESMTP id 02F5A8FC14 for ; Thu, 29 Dec 2011 17:15:48 +0000 (UTC) Received: from zmail-mta02.peak.org ([207.55.16.112]) by redcondor1.peak.org ({e03e86cd-14ae-47ce-9578-3c080ce9c462}) via TCP (outbound) with ESMTP id 20111229171548510 for ; Thu, 29 Dec 2011 17:15:48 +0000 X-RC-FROM: X-RC-RCPT: Received: from maple.localnet (unknown [207.55.106.132]) by zmail-mta02.peak.org (Postfix) with ESMTPSA id 80348488B51 for ; Thu, 29 Dec 2011 09:15:47 -0800 (PST) Received: from oak.localnet (oak.localnet [IPv6:2001:1938:266::6f:616b]) by maple.localnet (Postfix) with ESMTP id E0C7961F12 for ; Thu, 29 Dec 2011 09:15:45 -0800 (PST) Received: from oak.localnet (localhost.localnet [127.0.0.1]) by oak.localnet (Postfix) with ESMTP id ADD39BFD5 for ; Thu, 29 Dec 2011 09:15:45 -0800 (PST) Received: (from carlj@localhost) by oak.localnet (8.14.4/8.14.4/Submit) id pBTHFjYN059207; Thu, 29 Dec 2011 09:15:45 -0800 (PST) (envelope-from carlj@peak.org) X-Authentication-Warning: oak.localnet: carlj set sender to carlj@peak.org using -f From: Carl Johnson To: freebsd-questions@freebsd.org References: <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd> Mail-Followup-To: freebsd-questions@freebsd.org Date: Thu, 29 Dec 2011 09:15:45 -0800 In-Reply-To: <4EFC3FA3.1060603@my.gd> (Damien Fleuriot's message of "Thu, 29 Dec 2011 11:23:31 +0100") Message-ID: <87y5tvcn9a.fsf@oak.localnet> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: OT: Root access policy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 17:15:49 -0000 Damien Fleuriot writes: > On 12/29/11 10:58 AM, Polytropon wrote: >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: >>> For the first time, a customer is asking me for root access to said >>> customer's servers. >> >>> Assuming that I'll be asked to continue administering said servers, I guess >>> I should at least enable accounting... >> >> You could have better success using sudo. Make sure >> the customer is allowed to "sudo ". The >> sudo program will log _all_ things the customer >> does, so you can be sure you can review actions. >> Furthermore you don't need to give him the _real_ >> root password. He won't be able to "su root" or >> to login as root, _real_ root. But he can use >> the "sudo" prefix to issue commands "with root >> privileges". >> > > "sudo su -" or "sudo sh" and the customer gets a native root shell which > does *not* log commands ! The sudoers manpage mention the noexec option which is designed to help with the first problem. They also show an example using !SHELLS which can help with the second. -- Carl Johnson carlj@peak.org