Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 15:28:23 -0400
From:      Tom Grove <freebsd@voidmain.net>
To:        freebsd-questions@freebsd.org
Cc:        Ian Lord <mailing-lists@msdi.ca>
Subject:   Re: Root access loggin
Message-ID:  <46A652D7.4030001@voidmain.net>
In-Reply-To: <444pjt3ard.fsf@be-well.ilk.org>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local>	<46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Lowell Gilbert wrote:
> Tom Grove <freebsd@voidmain.net> writes:
>
>   
>> You could even go so far as to limit what he can use sudo on.
>>
>> $>man sudo
>>
>> Giving him full root access is probably not a good idea.
>>     
>
> In practice, this approach *is* effectively giving him full root
> access.  Once you have to give the tech the ability to edit root-owned
> files, you have to trust his honesty.  
Once any kind of local access is given to a user trust becomes an issue; 
regardless of root access or not.  By only allowing a certain set of 
commands there would still need to be a great deal of cracking to gain 
more access.  If one just gives out root access no more would need to be 
done.  This is where sudo is unlike root access.
> There are some important
> advantages to doing it through sudo, though: one is that it makes it
> easy for the user to keep track of just the root-privileged commands,
> and another is that it's easier for the user to avoid shooting himself
> in the foot.
>   
Other advantages to sudo are not having to give out the root password.  
A possible solution may be using sudo and watch together.
> To watch everything done by the remote-connected tech, the most
> complete approach is probably watch(8), which is a much simpler way of
> getting everything typed on a particular tty.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>   
While I agree that any kind of raised privilege may not be the best 
idea, if it is necessary, sudo adds a layer of protection you do not get 
with straight root.

-Tom




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46A652D7.4030001>