RE: Root access loggin

--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <mailing-lists@xxxxxxx> wrote:



-----Original Message-----
From: John Fitzgerald [mailto:jjfitzgerald@xxxxxxxxx]
Sent: 24 juillet 2007 15:42
To: Tom Grove
Cc: freebsd-questions@xxxxxxxxxxx; Ian Lord
Subject: Re: Root access loggin

I may be misunderstanding this, but wouldn't allowing only certain
commands with sudo assume that the user actually knows what commands
are needed by the user? In this situation it seems like the whole
reason to grant access to the server was because the user _doesn't_
know what needs to be done.
~~

Exactly, I don't know what needs to be done, and they don't neither.
That's why they need to browse around trying to figure out why their
installer doesn't work.

Sudo wouldn't be any help here cause I would need to pre approve commands
and I don't know which one will be needed.

You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo.

This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!)

To add the wheel group to a user:
pw usermod username -G wheel

Granting access to wheel should be self-explanatory:

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL

That way everything they do is logged, and you don't have to compromise your root password.

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Relevant Pages

  • Re: [kde-linux] KDE 4 and monitor powering off.
    ... I changed it so that it would run as root since I have to ... I have sudo configured so my normal user has very limited access (some ... commands, with specific parameters. ... The admin user has full passwordless access to do everything root could ...
    (KDE)
  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... (I am root on my home systems, and have "root" user accounts at work, ... Notice - no permissions for normal users to run. ... members of the 'wheel' group could run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
    (comp.os.linux)
  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... > gateway for home LAN and ADSL Internet. ... > explain the wheel group. ... Without having su sudo ... > like to know about the specific commands like for adding groups. ...
    (comp.os.linux)
  • Re: help getting grub to see Windows 7 on second drive
    ... visudo) and add yourself, then sudo will work. ... # Uncomment to allow people in group wheel to run all commands ... (I haven't tried multiple commands separated by; ... It does not leave you in root, ...
    (Debian-User)
  • Re: use sudo without having to type password?
    ... > There are lots of very valid reasons for having password-less sudo ... > commands available. ... >> If you have to do anything as root, you should have to type a password ... It should stand as a warning that they're about to ...
    (alt.os.linux)