user with root priviledge
Bevan C. Bennett
bevan at fulcrummicro.com
Mon Apr 26 20:12:29 UTC 2004
William Hooper wrote:
> Björn Persson said:
>
>>William Hooper wrote:
>>
>>
>>>Björn Persson said:
>>>
>>>
>>>>Wouldn't it be rather difficult to construct a sudoers file so that a
>>>>user can do anything an administrator might possibly need to do but not
>>>>in any way manipulate the log?
It's actually pretty easy - see below.
>>>Sure, remote logging.
>>>
>>>Any log on the local machine is suspect, so if it is important set up
>>>remote logging.
>>
>>sudo service network stop, or reboot without networking, or just yank
>>the cable. No more remote logging - and if someone asks you had a
>>perfectly good reason to take the machine offline for a little while. :-)
>
> If the user has physical access or the ability to boot into single user
> mode it doesn't matter what you are using, because it isn't your machine
> it is theirs :-)
It may be the case that the computer is neither yours nor theirs, but
instead belongs to your mutual employer. In most cases 'circumventing
security measures' is often a violation of your AUP (you -do- have an
AUP, don't you?) and possibly punishable by termination. It's generally
not worth that sort of risk just to avoid having your sudo activities
properly logged.
Mostly, IMO, the logs of your sudo commands are useful for when
something gets broken, so the other admins can backtrace where it is you
went wrong...
More information about the fedora-list
mailing list