On Thu, 29 Dec 2011 09:15:45 -0800, Carl Johnson wrote: > Damien Fleuriot <m...@my.gd> writes: > > > On 12/29/11 10:58 AM, Polytropon wrote: > >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: > >>> For the first time, a customer is asking me for root access to said > >>> customer's servers. > >> > <snip> > >>> Assuming that I'll be asked to continue administering said servers, I > >>> guess > >>> I should at least enable accounting... > >> > >> You could have better success using sudo. Make sure > >> the customer is allowed to "sudo <command>". The > >> sudo program will log _all_ things the customer > >> does, so you can be sure you can review actions. > >> Furthermore you don't need to give him the _real_ > >> root password. He won't be able to "su root" or > >> to login as root, _real_ root. But he can use > >> the "sudo" prefix to issue commands "with root > >> privileges". > >> > > > > "sudo su -" or "sudo sh" and the customer gets a native root shell which > > does *not* log commands ! > > The sudoers manpage mention the noexec option which is designed to help > with the first problem. They also show an example using !SHELLS which > can help with the second.
It's also worth mentioning "super" again - as an alternative to "sudo". But after all, if restricted in any way, both of them are _not_ requivalent to "full root access" (equals: root + root's password) which the customer initially demanded. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
