James G. Sack (jim) wrote:
Doug LaRue wrote:
** Reply to message from "James G. Sack (jim)" <[EMAIL PROTECTED]> on Tue, 08
Apr 2008 14:21:38 -0700
What is the effective difference in terms of security?
/var/log/auth.log
all sudo commands( logins, failed attamps, commands run, etc ) are
all logged there. But then again, I don't know if or where root logins
and commands/failures/etc get logged on other systems.
Ahh, thanks Doug. I forgot to mention that. Having a complete log of
commands executed via sudo is another benefit of sudo vs running from a
root shell. This is particularly valuable on servers admin'd by multiple
users with sudo rights. Even on a home system, it may turn out handy.
DJA- if you are asking whether there are differences in what can be done
via sudo compared to via a root shell -- that's what sudoers can
control. See
man sudoers
The file /etc/sudoers has some helpful comments within, but I'm sure
there must be [ie, I haven't looked, though] some good tutorials on
configuring sudoer as well.
At Akamai we had some fairly complex sudoers files in order to control
the amount of control the different admins had over various systems.
Some admins had no clue how to deal with databases and were not allowed
to run commands that would affect a DB, others were DBAs and had full
access to DB servers. The easiest way to control who could do what was
to not give all admins root access, setup various groups, and give those
groups the necessary privileges in in the sudoers file.
Because (as has been stated) all commands issued using sudo are logged
as to the actual user that executed them, a history was kept as to which
admin did what and when (as compared to someone logging in as root, at
which point you have no accountability and limited history).
PGA
--
Paul G. Allen, BSIT/SE
Owner, Sr. Engineer
Random Logic Consulting Services
www.randomlogic.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
