Date: Tue, 24 Jul 2007 15:41:55 -0400 From: "John Fitzgerald" <jjfitzgerald@gmail.com> To: "Tom Grove" <freebsd@voidmain.net> Cc: freebsd-questions@freebsd.org, Ian Lord <mailing-lists@msdi.ca> Subject: Re: Root access loggin Message-ID: <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> In-Reply-To: <46A652D7.4030001@voidmain.net> References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. On 7/24/07, Tom Grove <freebsd@voidmain.net> wrote: > Lowell Gilbert wrote: > > Tom Grove <freebsd@voidmain.net> writes: > > > > > >> You could even go so far as to limit what he can use sudo on. > >> > >> $>man sudo > >> > >> Giving him full root access is probably not a good idea. > >> > > > > In practice, this approach *is* effectively giving him full root > > access. Once you have to give the tech the ability to edit root-owned > > files, you have to trust his honesty. > Once any kind of local access is given to a user trust becomes an issue; > regardless of root access or not. By only allowing a certain set of > commands there would still need to be a great deal of cracking to gain > more access. If one just gives out root access no more would need to be > done. This is where sudo is unlike root access. > > There are some important > > advantages to doing it through sudo, though: one is that it makes it > > easy for the user to keep track of just the root-privileged commands, > > and another is that it's easier for the user to avoid shooting himself > > in the foot. > > > Other advantages to sudo are not having to give out the root password. > A possible solution may be using sudo and watch together. > > To watch everything done by the remote-connected tech, the most > > complete approach is probably watch(8), which is a much simpler way of > > getting everything typed on a particular tty. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > While I agree that any kind of raised privilege may not be the best > idea, if it is necessary, sudo adds a layer of protection you do not get > with straight root. > > -Tom > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5e49673f0707241241w4c751dbbi4a28590e5b164fc2>