Damien Fleuriot <m...@my.gd> writes: > On 12/29/11 10:58 AM, Polytropon wrote: >> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: >>> For the first time, a customer is asking me for root access to said >>> customer's servers. >> <snip> >>> Assuming that I'll be asked to continue administering said servers, I guess >>> I should at least enable accounting... >> >> You could have better success using sudo. Make sure >> the customer is allowed to "sudo <command>". The >> sudo program will log _all_ things the customer >> does, so you can be sure you can review actions. >> Furthermore you don't need to give him the _real_ >> root password. He won't be able to "su root" or >> to login as root, _real_ root. But he can use >> the "sudo" prefix to issue commands "with root >> privileges". >> > > "sudo su -" or "sudo sh" and the customer gets a native root shell which > does *not* log commands !
The sudoers manpage mention the noexec option which is designed to help with the first problem. They also show an example using !SHELLS which can help with the second. -- Carl Johnson ca...@peak.org _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
