Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2007 17:26:53 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        Vince Hoffman-Kazlauskas <jhary@unsane.co.uk>
Cc:        freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca>
Subject:   Re: Root access loggin
Message-ID:  <118BCC3A40B82CA3176858BC@utd59514.utdallas.edu>
In-Reply-To: <46A6768F.3040408@unsane.co.uk>
References:  <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net>	<444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> <A4BA3AEA2481104F45B9F544@utd59514.utdallas.edu> <46A6768F.3040408@unsane.co.uk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--==========707DD4882130F668690B==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Tuesday, July 24, 2007 23:00:47 +0100 Vince Hoffman-Kazlauskas=20
<jhary@unsane.co.uk> wrote:

> \   \   Paul Schmehl wrote:
>> --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord
>> <mailing-lists@msdi.ca> wrote:
>>
>>>
>>>
>>> -----Original Message-----
>>> From: John Fitzgerald [mailto:jjfitzgerald@gmail.com]
>>> Sent: 24 juillet 2007 15:42
>>> To: Tom Grove
>>> Cc: freebsd-questions@freebsd.org; Ian Lord
>>> Subject: Re: Root access loggin
>>>
>>> I may be misunderstanding this, but wouldn't allowing only certain
>>> commands with sudo assume that the user actually knows what commands
>>> are needed by the user? In this situation it seems like the whole
>>> reason to grant access to the server was because the user _doesn't_
>>> know what needs to be done.
>>> ~~
>>>
>>> Exactly, I don't know what needs to be done, and they don't neither.
>>> That's why they need to browse around trying to figure out why their
>>> installer doesn't work.
>>>
>>> Sudo wouldn't be any help here cause I would need to pre approve
>>> commands
>>> and I don't know which one will be needed.
>>>
>> You seem to have a mistaken understanding of sudo.  You can grant them
>> access to everything that root has simply by adding their account to
>> the wheel group and using visudo to grant wheel access to everything
>> that root has access to.  You can do this with or without a
>> requirement to type your password when you use sudo.
>>
>> This will allow them to do everything they want while logging every
>> command they type.  And that seems to be exactly what you want.  So,
>> rather than giving them the root password, create an account for them,
>> add it to the wheel group and use visudo to edit
>> /usr/local/etc/sudoers to grant wheel access to everything.  (DO NOT
>> edit the file with vi!)
>>
>> To add the wheel group to a user:
>> pw usermod username -G wheel
>>
>> Granting access to wheel should be self-explanatory:
>>
>> # Uncomment to allow people in group wheel to run all commands
>> %wheel  ALL=3D(ALL)       ALL
>> # %wheel        ALL=3D(ALL)       NOPASSWD: ALL
>>
>> That way everything they do is logged, and you don't have to
>> compromise your root password.
>>
> The problem here is that the first command I type in this situation if i
> need to run multiple commands as root it sudo su -
> after that nothing is logged.  I agree with Lowell that watch(8) is
> probably the way to go.
>
Well sure, but then you have a log entry where the vendor's tech clearly=20
tried to circumvent your restrictions.  That's cause for immediate=20
revocation of access and escalation of the issue to the vendor.  (Not that=20
you shouldn't use watch!)

--=20
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========707DD4882130F668690B==========--




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?118BCC3A40B82CA3176858BC>