[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sudo question



On Sat, Jun 11, 2005 at 12:06:10PM -0700, M E Fieu wrote:
> # User privilege specification
> root    ALL=(ALL) ALL
> jim     ALL=(ALL)       ALL
> Defaults logfile=/var/log/sudolog
> So Jim as root access, but I found Jim can modify the
> log file /var/log/sudolog as well using sudo.  How to
> prevent it from change the log file?

If Jim has full sudo access, Jim can do anything -- you'll have to trust
him. You could change syslog to log to a remote system, but even then,
that'd be easy to get around.

(You could also do something complicated with SELinux, but it'd be just that
-- complicated.)

-- 
Matthew Miller           mattdm mattdm org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>
Current office temperature: 82 degrees Fahrenheit.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]