root | su

Jeremy Chadwick koitsu at FreeBSD.org
Fri Oct 24 14:14:45 PDT 2008 

On Fri, Oct 24, 2008 at 10:45:04PM +0200, Jos Chrispijn wrote:
>> Since the person asking didn't give any details of what he wants to do, 
>> it's hard to say, but your point is correct regardless.  
>
> The idea behind my question is this:
> I am responsible for a server on which an(other) idiot keeps loggin in  
> as user root, allthough he has his own user account and is part of the  
> wheel group. To prevent this nub to change any other user account in God  
> mode, I am searching for a solutions on this.

You're trying to solve a social (possibly personal?) problem with
technology.  Simply put, this is a bad idea.

I would highly recommend you either talk to "the idiot" and explain to
him why what he's doing is improper or foolish, or simply pull his root
access entirely.  If this is a work-related incident, talk to your boss
about it if at all possible (but see below).  If you call the shots,
simply yank their access.

Here's you a story, maybe to lighten up my above criticism.  I hope you
enjoy it.

Back in the early-to-mid-90s I worked at a small ISP in Palo Alto as a
combination junior SA (sans root) and phone support monkey.  There were
two people who had root access on the FreeBSD boxes: one fellow was a
clueful, friendly, and very technical UNIX system administrator (also
partial owner), and another fellow (also partial owner) who was a
complete tool -- imagine Dilbert's boss with basic UNIX CLI and "how to
plug in Ethernet" knowledge.

One day, we got some phone calls from customers stating they were having
authentication dial-up problems or something (I can't remember).  I
didn't have root access to determine what the problem was, so I called
up the UNIX SA and told him what was going on.  He sighed, then agreed
to take a look.  About 15 minutes later he called back stating he'd
fixed it.

The next day, we started getting calls from customers again -- same
issue.  I called the SA ("didn't you fix this yesterday?!?!"), he sighed
again, and 15 minutes later had it fixed.  I asked what the deal was,
and all he said was "I'll explain it next time I'm in the office".  A
few weeks later I saw him and reminded him of the incident.

The other individual who had root -- who also just happened to be my
boss -- had gotten on the box in the middle of the night and decided to
basically "screw with things", telling no one.  After the UNIX SA had
fixed things the first time, that night my boss went back and screwed
with things a second time, leaving things in a completely broken state
again -- and like before, told no one.  "How is this even possible?" I
asked.

The SA explained that he had worked with my boss at previous jobs, and
"he was known for doing this sort of thing", hence the sighing.  I
believe his words were "Whenever something crazy would happen to the
systems at <old job>, we'd almost always find traces of <boss> having
logged in and modified seemingly random config files, broke things, and
left them that way.  He'd often do this at absurd hours of the night,
almost as if he didn't want someone catching him in the process".

I asked how he dealt with the situation, and he said "At the previous
job?  His root access was eventually removed, as it was the only way.
At this job?  Well, let's just say the Email conversation is quite
heated and will soon be involving the guys who financially back us".

Food for thought.  Cheers!

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list