On Fri, Oct 24, 2008 at 10:45:04PM +0200, Jos Chrispijn wrote: >> Since the person asking didn't give any details of what he wants to do, >> it's hard to say, but your point is correct regardless. > > The idea behind my question is this: > I am responsible for a server on which an(other) idiot keeps loggin in > as user root, allthough he has his own user account and is part of the > wheel group. To prevent this nub to change any other user account in God > mode, I am searching for a solutions on this.
You're trying to solve a social (possibly personal?) problem with technology. Simply put, this is a bad idea. I would highly recommend you either talk to "the idiot" and explain to him why what he's doing is improper or foolish, or simply pull his root access entirely. If this is a work-related incident, talk to your boss about it if at all possible (but see below). If you call the shots, simply yank their access. Here's you a story, maybe to lighten up my above criticism. I hope you enjoy it. Back in the early-to-mid-90s I worked at a small ISP in Palo Alto as a combination junior SA (sans root) and phone support monkey. There were two people who had root access on the FreeBSD boxes: one fellow was a clueful, friendly, and very technical UNIX system administrator (also partial owner), and another fellow (also partial owner) who was a complete tool -- imagine Dilbert's boss with basic UNIX CLI and "how to plug in Ethernet" knowledge. One day, we got some phone calls from customers stating they were having authentication dial-up problems or something (I can't remember). I didn't have root access to determine what the problem was, so I called up the UNIX SA and told him what was going on. He sighed, then agreed to take a look. About 15 minutes later he called back stating he'd fixed it. The next day, we started getting calls from customers again -- same issue. I called the SA ("didn't you fix this yesterday?!?!"), he sighed again, and 15 minutes later had it fixed. I asked what the deal was, and all he said was "I'll explain it next time I'm in the office". A few weeks later I saw him and reminded him of the incident. The other individual who had root -- who also just happened to be my boss -- had gotten on the box in the middle of the night and decided to basically "screw with things", telling no one. After the UNIX SA had fixed things the first time, that night my boss went back and screwed with things a second time, leaving things in a completely broken state again -- and like before, told no one. "How is this even possible?" I asked. The SA explained that he had worked with my boss at previous jobs, and "he was known for doing this sort of thing", hence the sighing. I believe his words were "Whenever something crazy would happen to the systems at <old job>, we'd almost always find traces of <boss> having logged in and modified seemingly random config files, broke things, and left them that way. He'd often do this at absurd hours of the night, almost as if he didn't want someone catching him in the process". I asked how he dealt with the situation, and he said "At the previous job? His root access was eventually removed, as it was the only way. At this job? Well, let's just say the Email conversation is quite heated and will soon be involving the guys who financially back us". Food for thought. Cheers! -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"