Sorry, forgot to replay all... Kurt
---------- Forwarded message ---------- From: Kurt Buff <kurt.b...@gmail.com> Date: Thu, Dec 6, 2012 at 11:53 AM Subject: Re: Somewhat OT: Is Full Command Logging Possible? To: Fleuriot Damien <m...@my.gd> On Thu, Dec 6, 2012 at 1:26 AM, Fleuriot Damien <m...@my.gd> wrote: > > On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tun...@tundraware.com> wrote: >>> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>> >>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tun...@tundraware.com> >>>> wrote: >>>>> >>>>> I am working with an institution that today provides limited privilege >>>>> escalation >>>>> on their servers via very specific sudo rules. The problem is that the >>>>> administrators can do 'sudo su -'. >>>> >>>> <snip> >>>> >>>> >>>> sudo is misconfigured. >>>> >>>> man 5 sudoers and man 8 visudo >>>> >>>> >>>> >>>> Kurt >>>> >>> >>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> saying. Are you suggesting that there is a way to configure >>> sudo so that if someone does 'sudo su -' to become an admin, >>> sudo can be made to log every command they execute thereafter? >> >> No, I'm saying that sudo should not be configured to allow 'sudo su -'. > > > This is an ineffective solution. > > So what, you're going to forbid "sudo su -" > > Fine, I'll just run "sudo csh" . > > If you forbid csh, I'll just copy the existing `which csh` to ~/toto and > "sudo ~/toto" . > > > > Basically, anything short of actually whitelisting what people can run won't > do. > > And apparently that's not in Tim's list of desirable things ;) Whitelisting commands is exactly what the sudoers file is for. If he wants to do otherwise, then he's using the wrong tool. Kurt _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"