Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 15:23:52 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        Ian Lord <mailing-lists@msdi.ca>, freebsd-questions@freebsd.org
Subject:   RE: Root access loggin
Message-ID:  <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu>
In-Reply-To: <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org>	<46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--==========F54B089278403B3218CA==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <mailing-lists@msdi.ca> =

wrote:

>
>
> -----Original Message-----
> From: John Fitzgerald [mailto:jjfitzgerald@gmail.com]
> Sent: 24 juillet 2007 15:42
> To: Tom Grove
> Cc: freebsd-questions@freebsd.org; Ian Lord
> Subject: Re: Root access loggin
>
> I may be misunderstanding this, but wouldn't allowing only certain
> commands with sudo assume that the user actually knows what commands
> are needed by the user? In this situation it seems like the whole
> reason to grant access to the server was because the user _doesn't_
> know what needs to be done.
> ~~
>
> Exactly, I don't know what needs to be done, and they don't neither.
> That's why they need to browse around trying to figure out why their
> installer doesn't work.
>
> Sudo wouldn't be any help here cause I would need to pre approve commands
> and I don't know which one will be needed.
>
You seem to have a mistaken understanding of sudo.  You can grant them=20
access to everything that root has simply by adding their account to the=20
wheel group and using visudo to grant wheel access to everything that root=20
has access to.  You can do this with or without a requirement to type your=20
password when you use sudo.

This will allow them to do everything they want while logging every command =

they type.  And that seems to be exactly what you want.  So, rather than=20
giving them the root password, create an account for them, add it to the=20
wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel=20
access to everything.  (DO NOT edit the file with vi!)

To add the wheel group to a user:
pw usermod username -G wheel

Granting access to wheel should be self-explanatory:

# Uncomment to allow people in group wheel to run all commands
%wheel  ALL=3D(ALL)       ALL
# %wheel        ALL=3D(ALL)       NOPASSWD: ALL

That way everything they do is logged, and you don't have to compromise=20
your root password.

--=20
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========F54B089278403B3218CA==========--




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?A4BA3AEA2481104F45B9F544>