Root access loggin
jjfitzgerald at gmail.com
Tue Jul 24 19:41:58 UTC 2007
I may be misunderstanding this, but wouldn't allowing only certain
commands with sudo assume that the user actually knows what commands
are needed by the user? In this situation it seems like the whole
reason to grant access to the server was because the user _doesn't_
know what needs to be done.
On 7/24/07, Tom Grove <freebsd at voidmain.net> wrote:
> Lowell Gilbert wrote:
> > Tom Grove <freebsd at voidmain.net> writes:
> >> You could even go so far as to limit what he can use sudo on.
> >> $>man sudo
> >> Giving him full root access is probably not a good idea.
> > In practice, this approach *is* effectively giving him full root
> > access. Once you have to give the tech the ability to edit root-owned
> > files, you have to trust his honesty.
> Once any kind of local access is given to a user trust becomes an issue;
> regardless of root access or not. By only allowing a certain set of
> commands there would still need to be a great deal of cracking to gain
> more access. If one just gives out root access no more would need to be
> done. This is where sudo is unlike root access.
> > There are some important
> > advantages to doing it through sudo, though: one is that it makes it
> > easy for the user to keep track of just the root-privileged commands,
> > and another is that it's easier for the user to avoid shooting himself
> > in the foot.
> Other advantages to sudo are not having to give out the root password.
> A possible solution may be using sudo and watch together.
> > To watch everything done by the remote-connected tech, the most
> > complete approach is probably watch(8), which is a much simpler way of
> > getting everything typed on a particular tty.
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> While I agree that any kind of raised privilege may not be the best
> idea, if it is necessary, sudo adds a layer of protection you do not get
> with straight root.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions