OT: Root access policy
Polytropon
freebsd at edvax.de
Thu Dec 29 17:58:11 UTC 2011
On Thu, 29 Dec 2011 09:15:45 -0800, Carl Johnson wrote:
> Damien Fleuriot <ml at my.gd> writes:
>
> > On 12/29/11 10:58 AM, Polytropon wrote:
> >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote:
> >>> For the first time, a customer is asking me for root access to said
> >>> customer's servers.
> >>
> <snip>
> >>> Assuming that I'll be asked to continue administering said servers, I guess
> >>> I should at least enable accounting...
> >>
> >> You could have better success using sudo. Make sure
> >> the customer is allowed to "sudo <command>". The
> >> sudo program will log _all_ things the customer
> >> does, so you can be sure you can review actions.
> >> Furthermore you don't need to give him the _real_
> >> root password. He won't be able to "su root" or
> >> to login as root, _real_ root. But he can use
> >> the "sudo" prefix to issue commands "with root
> >> privileges".
> >>
> >
> > "sudo su -" or "sudo sh" and the customer gets a native root shell which
> > does *not* log commands !
>
> The sudoers manpage mention the noexec option which is designed to help
> with the first problem. They also show an example using !SHELLS which
> can help with the second.
It's also worth mentioning "super" again - as an
alternative to "sudo". But after all, if restricted
in any way, both of them are _not_ requivalent to
"full root access" (equals: root + root's password)
which the customer initially demanded.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list