Root access loggin
Paul Schmehl
pauls at utdallas.edu
Tue Jul 24 20:23:53 UTC 2007
--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <mailing-lists at msdi.ca>
wrote:
>
>
> -----Original Message-----
> From: John Fitzgerald [mailto:jjfitzgerald at gmail.com]
> Sent: 24 juillet 2007 15:42
> To: Tom Grove
> Cc: freebsd-questions at freebsd.org; Ian Lord
> Subject: Re: Root access loggin
>
> I may be misunderstanding this, but wouldn't allowing only certain
> commands with sudo assume that the user actually knows what commands
> are needed by the user? In this situation it seems like the whole
> reason to grant access to the server was because the user _doesn't_
> know what needs to be done.
> ~~
>
> Exactly, I don't know what needs to be done, and they don't neither.
> That's why they need to browse around trying to figure out why their
> installer doesn't work.
>
> Sudo wouldn't be any help here cause I would need to pre approve commands
> and I don't know which one will be needed.
>
You seem to have a mistaken understanding of sudo. You can grant them
access to everything that root has simply by adding their account to the
wheel group and using visudo to grant wheel access to everything that root
has access to. You can do this with or without a requirement to type your
password when you use sudo.
This will allow them to do everything they want while logging every command
they type. And that seems to be exactly what you want. So, rather than
giving them the root password, create an account for them, add it to the
wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel
access to everything. (DO NOT edit the file with vi!)
To add the wheel group to a user:
pw usermod username -G wheel
Granting access to wheel should be self-explanatory:
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL
That way everything they do is logged, and you don't have to compromise
your root password.
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list