Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Dec 2011 18:58:09 +0100
From:      Polytropon <freebsd@edvax.de>
To:        Carl Johnson <carlj@peak.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: OT: Root access policy
Message-ID:  <20111229185809.0b28e71f.freebsd@edvax.de>
In-Reply-To: <87y5tvcn9a.fsf@oak.localnet>
References:  <CA%2BNe_iJfFK43CE%2BL2LHcqNSmv7AmRDYyAu4pXGFpd3QB%2By3p2w@mail.gmail.com> <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd> <87y5tvcn9a.fsf@oak.localnet>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 29 Dec 2011 09:15:45 -0800, Carl Johnson wrote:
> Damien Fleuriot <ml@my.gd> writes:
> 
> > On 12/29/11 10:58 AM, Polytropon wrote:
> >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote:
> >>> For the first time, a customer is asking me for root access to said
> >>> customer's servers.
> >> 
>   <snip>
> >>> Assuming that I'll be asked to continue administering said servers, I guess
> >>> I should at least enable accounting...
> >> 
> >> You could have better success using sudo. Make sure
> >> the customer is allowed to "sudo <command>". The
> >> sudo program will log _all_ things the customer
> >> does, so you can be sure you can review actions.
> >> Furthermore you don't need to give him the _real_
> >> root password. He won't be able to "su root" or
> >> to login as root, _real_ root. But he can use
> >> the "sudo" prefix to issue commands "with root
> >> privileges".
> >> 
> >
> > "sudo su -" or "sudo sh" and the customer gets a native root shell which
> > does *not* log commands !
> 
> The sudoers manpage mention the noexec option which is designed to help
> with the first problem.  They also show an example using !SHELLS which
> can help with the second.

It's also worth mentioning "super" again - as an
alternative to "sudo". But after all, if restricted
in any way, both of them are _not_ requivalent to
"full root access" (equals: root + root's password)
which the customer initially demanded.



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111229185809.0b28e71f.freebsd>