Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 17:26:53 -0500
From:      Paul Schmehl <>
To:        Vince Hoffman-Kazlauskas <>
Cc:, Ian Lord <>
Subject:   Re: Root access loggin
Message-ID:  <>
In-Reply-To: <>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local> <>	<> <> <> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Tuesday, July 24, 2007 23:00:47 +0100 Vince Hoffman-Kazlauskas=20
<> wrote:

> \   \   Paul Schmehl wrote:
>> --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord
>> <> wrote:
>>> -----Original Message-----
>>> From: John Fitzgerald []
>>> Sent: 24 juillet 2007 15:42
>>> To: Tom Grove
>>> Cc:; Ian Lord
>>> Subject: Re: Root access loggin
>>> I may be misunderstanding this, but wouldn't allowing only certain
>>> commands with sudo assume that the user actually knows what commands
>>> are needed by the user? In this situation it seems like the whole
>>> reason to grant access to the server was because the user _doesn't_
>>> know what needs to be done.
>>> ~~
>>> Exactly, I don't know what needs to be done, and they don't neither.
>>> That's why they need to browse around trying to figure out why their
>>> installer doesn't work.
>>> Sudo wouldn't be any help here cause I would need to pre approve
>>> commands
>>> and I don't know which one will be needed.
>> You seem to have a mistaken understanding of sudo.  You can grant them
>> access to everything that root has simply by adding their account to
>> the wheel group and using visudo to grant wheel access to everything
>> that root has access to.  You can do this with or without a
>> requirement to type your password when you use sudo.
>> This will allow them to do everything they want while logging every
>> command they type.  And that seems to be exactly what you want.  So,
>> rather than giving them the root password, create an account for them,
>> add it to the wheel group and use visudo to edit
>> /usr/local/etc/sudoers to grant wheel access to everything.  (DO NOT
>> edit the file with vi!)
>> To add the wheel group to a user:
>> pw usermod username -G wheel
>> Granting access to wheel should be self-explanatory:
>> # Uncomment to allow people in group wheel to run all commands
>> %wheel  ALL=3D(ALL)       ALL
>> # %wheel        ALL=3D(ALL)       NOPASSWD: ALL
>> That way everything they do is logged, and you don't have to
>> compromise your root password.
> The problem here is that the first command I type in this situation if i
> need to run multiple commands as root it sudo su -
> after that nothing is logged.  I agree with Lowell that watch(8) is
> probably the way to go.
Well sure, but then you have a log entry where the vendor's tech clearly=20
tried to circumvent your restrictions.  That's cause for immediate=20
revocation of access and escalation of the issue to the vendor.  (Not that=20
you shouldn't use watch!)

Paul Schmehl (
Senior Information Security Analyst
The University of Texas at Dallas


Want to link to this message? Use this URL: <>