root | su
Jonathan McKeown
jonathan+freebsd-questions at hst.org.za
Sat Oct 25 06:48:55 PDT 2008
On Friday 24 October 2008 23:59, Jos Chrispijn wrote:
> [Jeremy Chadwick said]
> > You're trying to solve a social (possibly personal?) problem with
> > technology. Simply put, this is a bad idea.
>
> Yep, I think that is .true.
>
> > I would highly recommend you either talk to "the idiot" and explain to
> > him why what he's doing is improper or foolish, or simply pull his root
> > access entirely. If this is a work-related incident, talk to your boss
> > about it if at all possible (but see below). If you call the shots,
> > simply yank their access.
>
> The idiot is the boss himself and acts like an unguided missile.
> Just investigating before I give him a wake-up call. And that is exactly
> what I will do...
>
> > Food for thought. Cheers!
>
> Love it, thanks for sharing (everyone)!
I'm coming to this discussion a bit late, and in general it's true that you
can't limit root's ability to read files, execute programs, fiddle with
settings etc. What you can do, which has limited usefulness but might fit
your specific case, is temporarily prevent root from using su to log in as
another user without knowing their password.
If you comment out (or remove entirely, which may slow down the other user
even more, if they're unfamiliar with pam) the line
auth sufficient pam_rootok.so no_warn
in /etc/pam.d/su, root has to meet the same requirements as any other user
before using su.
Of course there's nothing to stop someone with root access from editing this
file, but now the problem user has to actively subvert a measure that's been
taken by another sysadmin - which may provide a better starting-point for a
conversation about what they're up to.
Jonathan
More information about the freebsd-questions
mailing list