root | su

[Jonathan McKeown]

On Friday 24 October 2008 23:59, Jos Chrispijn wrote:
> [Jeremy Chadwick said]
> > You're trying to solve a social (possibly personal?) problem with
> > technology.  Simply put, this is a bad idea.
>
> Yep, I think that is .true.
>
> > I would highly recommend you either talk to "the idiot" and explain to
> > him why what he's doing is improper or foolish, or simply pull his root
> > access entirely.  If this is a work-related incident, talk to your boss
> > about it if at all possible (but see below).  If you call the shots,
> > simply yank their access.
>
> The idiot is the boss himself and acts like an unguided missile.
> Just investigating before I give him a wake-up call. And that is exactly
> what I will do...
>
> > Food for thought.  Cheers!
>
> Love it, thanks for sharing (everyone)!

I'm coming to this discussion a bit late, and in general it's true that you 
can't limit root's ability to read files, execute programs, fiddle with 
settings etc. What you can do, which has limited usefulness but might fit 
your specific case, is temporarily prevent root from using su to log in as 
another user without knowing their password.

If you comment out (or remove entirely, which may slow down the other user 
even more, if they're unfamiliar with pam) the line

auth            sufficient      pam_rootok.so           no_warn

in /etc/pam.d/su, root has to meet the same requirements as any other user  
before using su.

Of course there's nothing to stop someone with root access from editing this 
file, but now the problem user has to actively subvert a measure that's been 
taken by another sysadmin - which may provide a better starting-point for a 
conversation about what they're up to.

Jonathan