Re: root | su
On Friday 24 October 2008 23:59, Jos Chrispijn wrote: > [Jeremy Chadwick said] > > You're trying to solve a social (possibly personal?) problem with > > technology. Simply put, this is a bad idea. > > Yep, I think that is .true. > > > I would highly recommend you either talk to "the idiot" and explain to > > him why what he's doing is improper or foolish, or simply pull his root > > access entirely. If this is a work-related incident, talk to your boss > > about it if at all possible (but see below). If you call the shots, > > simply yank their access. > > The idiot is the boss himself and acts like an unguided missile. > Just investigating before I give him a wake-up call. And that is exactly > what I will do... > > > Food for thought. Cheers! > > Love it, thanks for sharing (everyone)! I'm coming to this discussion a bit late, and in general it's true that you can't limit root's ability to read files, execute programs, fiddle with settings etc. What you can do, which has limited usefulness but might fit your specific case, is temporarily prevent root from using su to log in as another user without knowing their password. If you comment out (or remove entirely, which may slow down the other user even more, if they're unfamiliar with pam) the line authsufficient pam_rootok.so no_warn in /etc/pam.d/su, root has to meet the same requirements as any other user before using su. Of course there's nothing to stop someone with root access from editing this file, but now the problem user has to actively subvert a measure that's been taken by another sysadmin - which may provide a better starting-point for a conversation about what they're up to. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SOLVED] Re: root | su
You're trying to solve a social (possibly personal?) problem with technology. Simply put, this is a bad idea. Yep, I think that is .true. I would highly recommend you either talk to "the idiot" and explain to him why what he's doing is improper or foolish, or simply pull his root access entirely. If this is a work-related incident, talk to your boss about it if at all possible (but see below). If you call the shots, simply yank their access. The idiot is the boss himself and acts like an unguided missile. Just investigating before I give him a wake-up call. And that is exactly what I will do... Food for thought. Cheers! Love it, thanks for sharing (everyone)! jc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
On Fri, Oct 24, 2008 at 10:45:04PM +0200, Jos Chrispijn wrote: >> Since the person asking didn't give any details of what he wants to do, >> it's hard to say, but your point is correct regardless. > > The idea behind my question is this: > I am responsible for a server on which an(other) idiot keeps loggin in > as user root, allthough he has his own user account and is part of the > wheel group. To prevent this nub to change any other user account in God > mode, I am searching for a solutions on this. You're trying to solve a social (possibly personal?) problem with technology. Simply put, this is a bad idea. I would highly recommend you either talk to "the idiot" and explain to him why what he's doing is improper or foolish, or simply pull his root access entirely. If this is a work-related incident, talk to your boss about it if at all possible (but see below). If you call the shots, simply yank their access. Here's you a story, maybe to lighten up my above criticism. I hope you enjoy it. Back in the early-to-mid-90s I worked at a small ISP in Palo Alto as a combination junior SA (sans root) and phone support monkey. There were two people who had root access on the FreeBSD boxes: one fellow was a clueful, friendly, and very technical UNIX system administrator (also partial owner), and another fellow (also partial owner) who was a complete tool -- imagine Dilbert's boss with basic UNIX CLI and "how to plug in Ethernet" knowledge. One day, we got some phone calls from customers stating they were having authentication dial-up problems or something (I can't remember). I didn't have root access to determine what the problem was, so I called up the UNIX SA and told him what was going on. He sighed, then agreed to take a look. About 15 minutes later he called back stating he'd fixed it. The next day, we started getting calls from customers again -- same issue. I called the SA ("didn't you fix this yesterday?!?!"), he sighed again, and 15 minutes later had it fixed. I asked what the deal was, and all he said was "I'll explain it next time I'm in the office". A few weeks later I saw him and reminded him of the incident. The other individual who had root -- who also just happened to be my boss -- had gotten on the box in the middle of the night and decided to basically "screw with things", telling no one. After the UNIX SA had fixed things the first time, that night my boss went back and screwed with things a second time, leaving things in a completely broken state again -- and like before, told no one. "How is this even possible?" I asked. The SA explained that he had worked with my boss at previous jobs, and "he was known for doing this sort of thing", hence the sighing. I believe his words were "Whenever something crazy would happen to the systems at , we'd almost always find traces of having logged in and modified seemingly random config files, broke things, and left them that way. He'd often do this at absurd hours of the night, almost as if he didn't want someone catching him in the process". I asked how he dealt with the situation, and he said "At the previous job? His root access was eventually removed, as it was the only way. At this job? Well, let's just say the Email conversation is quite heated and will soon be involving the guys who financially back us". Food for thought. Cheers! -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
--- On Fri, 10/24/08, Jos Chrispijn <[EMAIL PROTECTED]> wrote: > From: Jos Chrispijn <[EMAIL PROTECTED]> > Subject: Re: root | su > To: > Cc: freebsd-questions@freebsd.org > Date: Friday, October 24, 2008, 4:45 PM > > Since the person asking didn't give any details of > what he wants to do, it's hard to say, but your point is > correct regardless. > > The idea behind my question is this: > I am responsible for a server on which an(other) idiot > keeps loggin in > as user root, allthough he has his own user account and is > part of the > wheel group. To prevent this nub to change any other user > account in God > mode, I am searching for a solutions on this. Disable direct access via whatever remote access method you use as root. Thus the other individual will have to login as themself, and su to root. If you do not wish them to su to root, change the root password. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
Jos Chrispijn wrote: >> Since the person asking didn't give any details of what he wants to >> do, it's hard to say, but your point is correct regardless. > > The idea behind my question is this: > I am responsible for a server on which an(other) idiot keeps loggin in > as user root, allthough he has his own user account and is part of the > wheel group. To prevent this nub to change any other user account in God > mode, I am searching for a solutions on this. Instead of using the root account, could you make him use sudo, without the ability to su? Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
Since the person asking didn't give any details of what he wants to do, it's hard to say, but your point is correct regardless. The idea behind my question is this: I am responsible for a server on which an(other) idiot keeps loggin in as user root, allthough he has his own user account and is part of the wheel group. To prevent this nub to change any other user account in God mode, I am searching for a solutions on this. jc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
en0f wrote: > Jos Chrispijn wrote: >> Is there a way of stopping root from su'ing to another user? > > what kind of question is this? Obviously one that brings out of the woodwork the type of people with closed and non-inquisitive minds... probably the type of people who think that they have all of life's questions answered :) Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
--- On Fri, 10/24/08, Manolis Kiagias <[EMAIL PROTECTED]> wrote: > From: Manolis Kiagias <[EMAIL PROTECTED]> > Subject: Re: root | su > To: "Jos Chrispijn" <[EMAIL PROTECTED]> > Cc: "FreeBSD Questions" > Date: Friday, October 24, 2008, 2:25 PM > Jos Chrispijn wrote: > > Is there a way of stopping root from su'ing to > another user? > > > > Jos Chrispijn > > > Root is supposed to be the almighty god on your machine > (i.e. you...). > No point trying to limit the abilities of root (especially > if physical > access is also provided). > And seriously, root is a role not a person. If you find > yourself trying > to limit root's capabilities, you've probably > surrendered the root > password to the wrong person. If you need to give someone > limited root > access to a machine, just use security/sudo instead (with a > carefully > crafted sudoers file). That's one option. Another is to implement jails, or virtualization via something like qemu. Since the person asking didn't give any details of what he wants to do, it's hard to say, but your point is correct regardless. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
Jos Chrispijn wrote: > Is there a way of stopping root from su'ing to another user? what kind of question is this? -- en0f ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
Jos Chrispijn wrote: Is there a way of stopping root from su'ing to another user? Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Root is supposed to be the almighty god on your machine (i.e. you...). No point trying to limit the abilities of root (especially if physical access is also provided). And seriously, root is a role not a person. If you find yourself trying to limit root's capabilities, you've probably surrendered the root password to the wrong person. If you need to give someone limited root access to a machine, just use security/sudo instead (with a carefully crafted sudoers file). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: root | su
On Fri, Oct 24, 2008 at 2:06 PM, Jos Chrispijn <[EMAIL PROTECTED]> wrote: > Is there a way of stopping root from su'ing to another user? > Short of disabling the user account you are `su'ing to (or disabling root), no. Root can do anything. -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"