Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 15:23:52 -0500
From:      Paul Schmehl <>
To:        Ian Lord <>,
Subject:   RE: Root access loggin
Message-ID:  <>
In-Reply-To: <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local> <> <>	<> <> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <> =


> -----Original Message-----
> From: John Fitzgerald []
> Sent: 24 juillet 2007 15:42
> To: Tom Grove
> Cc:; Ian Lord
> Subject: Re: Root access loggin
> I may be misunderstanding this, but wouldn't allowing only certain
> commands with sudo assume that the user actually knows what commands
> are needed by the user? In this situation it seems like the whole
> reason to grant access to the server was because the user _doesn't_
> know what needs to be done.
> ~~
> Exactly, I don't know what needs to be done, and they don't neither.
> That's why they need to browse around trying to figure out why their
> installer doesn't work.
> Sudo wouldn't be any help here cause I would need to pre approve commands
> and I don't know which one will be needed.
You seem to have a mistaken understanding of sudo.  You can grant them=20
access to everything that root has simply by adding their account to the=20
wheel group and using visudo to grant wheel access to everything that root=20
has access to.  You can do this with or without a requirement to type your=20
password when you use sudo.

This will allow them to do everything they want while logging every command =

they type.  And that seems to be exactly what you want.  So, rather than=20
giving them the root password, create an account for them, add it to the=20
wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel=20
access to everything.  (DO NOT edit the file with vi!)

To add the wheel group to a user:
pw usermod username -G wheel

Granting access to wheel should be self-explanatory:

# Uncomment to allow people in group wheel to run all commands
%wheel  ALL=3D(ALL)       ALL
# %wheel        ALL=3D(ALL)       NOPASSWD: ALL

That way everything they do is logged, and you don't have to compromise=20
your root password.

Paul Schmehl (
Senior Information Security Analyst
The University of Texas at Dallas


Want to link to this message? Use this URL: <>