OT: Root access policy
Carl Johnson
carlj at peak.org
Thu Dec 29 17:15:49 UTC 2011
Damien Fleuriot <ml at my.gd> writes:
> On 12/29/11 10:58 AM, Polytropon wrote:
>> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote:
>>> For the first time, a customer is asking me for root access to said
>>> customer's servers.
>>
<snip>
>>> Assuming that I'll be asked to continue administering said servers, I guess
>>> I should at least enable accounting...
>>
>> You could have better success using sudo. Make sure
>> the customer is allowed to "sudo <command>". The
>> sudo program will log _all_ things the customer
>> does, so you can be sure you can review actions.
>> Furthermore you don't need to give him the _real_
>> root password. He won't be able to "su root" or
>> to login as root, _real_ root. But he can use
>> the "sudo" prefix to issue commands "with root
>> privileges".
>>
>
> "sudo su -" or "sudo sh" and the customer gets a native root shell which
> does *not* log commands !
The sudoers manpage mention the noexec option which is designed to help
with the first problem. They also show an example using !SHELLS which
can help with the second.
--
Carl Johnson carlj at peak.org
More information about the freebsd-questions
mailing list