Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 14:41:10 -0400
From:      Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
To:        Tom Grove <freebsd@voidmain.net>
Cc:        freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca>
Subject:   Re: Root access loggin
Message-ID:  <444pjt3ard.fsf@be-well.ilk.org>
In-Reply-To: <46A63689.80906@voidmain.net> (Tom Grove's message of "Tue\, 24 Jul 2007 13\:27\:37 -0400")
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Tom Grove <freebsd@voidmain.net> writes:

> You could even go so far as to limit what he can use sudo on.
>
> $>man sudo
>
> Giving him full root access is probably not a good idea.

In practice, this approach *is* effectively giving him full root
access.  Once you have to give the tech the ability to edit root-owned
files, you have to trust his honesty.  There are some important
advantages to doing it through sudo, though: one is that it makes it
easy for the user to keep track of just the root-privileged commands,
and another is that it's easier for the user to avoid shooting himself
in the foot.

To watch everything done by the remote-connected tech, the most
complete approach is probably watch(8), which is a much simpler way of
getting everything typed on a particular tty.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?444pjt3ard.fsf>