Re: [LIH]logging admin activities?

Binand Sethumadhavan Fri, 30 Dec 2005 08:41:02 -0800

On 30/12/05, Thaths <[EMAIL PROTECTED]> wrote:
> sudo rights to perform the required actions. Your users will have to
> log in as normal users and to run all their sys admin commands through
> sudo. Sudo does copious logging.


Caveat emptor.

Running shell scripts via sudo is sometimes dangerous. For example,
several people I have seen provide sudoers entry for /etc/init.d/httpd
for normal users to stop/start apache. On Redhat at least, this has a
big problem:

[EMAIL PROTECTED]:[11:36](27) env HTTPD=/usr/bin/id sudo
/etc/init.d/httpd start
Starting httpd: uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

(The /sbin/service program that Redhat provides for startup services
management does not have this problem, as it runs commands using env
-i).

So watch who you give sudo permissions to. Lookup the env_reset
sudoers flag before you give anyone sudo access.

Binand


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
linux-india-help mailing list
linux-india-help@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-india-help

Re: [LIH]logging admin activities?

Reply via email to