Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 23:00:47 +0100
From:      Vince Hoffman-Kazlauskas <jhary@unsane.co.uk>
To:        Paul Schmehl <pauls@utdallas.edu>
Cc:        freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca>
Subject:   Re: Root access loggin
Message-ID:  <46A6768F.3040408@unsane.co.uk>
In-Reply-To: <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local>	<46A63689.80906@voidmain.net>	<444pjt3ard.fsf@be-well.ilk.org>	<46A652D7.4030001@voidmain.net>	<5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com>	<054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
\   \   Paul Schmehl wrote:
> --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord 
> <mailing-lists@msdi.ca> wrote:
>
>>
>>
>> -----Original Message-----
>> From: John Fitzgerald [mailto:jjfitzgerald@gmail.com]
>> Sent: 24 juillet 2007 15:42
>> To: Tom Grove
>> Cc: freebsd-questions@freebsd.org; Ian Lord
>> Subject: Re: Root access loggin
>>
>> I may be misunderstanding this, but wouldn't allowing only certain
>> commands with sudo assume that the user actually knows what commands
>> are needed by the user? In this situation it seems like the whole
>> reason to grant access to the server was because the user _doesn't_
>> know what needs to be done.
>> ~~
>>
>> Exactly, I don't know what needs to be done, and they don't neither.
>> That's why they need to browse around trying to figure out why their
>> installer doesn't work.
>>
>> Sudo wouldn't be any help here cause I would need to pre approve 
>> commands
>> and I don't know which one will be needed.
>>
> You seem to have a mistaken understanding of sudo.  You can grant them 
> access to everything that root has simply by adding their account to 
> the wheel group and using visudo to grant wheel access to everything 
> that root has access to.  You can do this with or without a 
> requirement to type your password when you use sudo.
>
> This will allow them to do everything they want while logging every 
> command they type.  And that seems to be exactly what you want.  So, 
> rather than giving them the root password, create an account for them, 
> add it to the wheel group and use visudo to edit 
> /usr/local/etc/sudoers to grant wheel access to everything.  (DO NOT 
> edit the file with vi!)
>
> To add the wheel group to a user:
> pw usermod username -G wheel
>
> Granting access to wheel should be self-explanatory:
>
> # Uncomment to allow people in group wheel to run all commands
> %wheel  ALL=(ALL)       ALL
> # %wheel        ALL=(ALL)       NOPASSWD: ALL
>
> That way everything they do is logged, and you don't have to 
> compromise your root password.
>
The problem here is that the first command I type in this situation if i 
need to run multiple commands as root it sudo su -
after that nothing is logged.  I agree with Lowell that watch(8) is 
probably the way to go.

Vince



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46A6768F.3040408>