[Mageia-sysadm] Usernames, uids, and groups

Luca Berra bluca at vodka.it
Wed Nov 10 17:57:36 CET 2010


On Wed, Nov 10, 2010 at 01:27:00PM +0100, Buchan Milne wrote:
>On Wednesday, 10 November 2010 11:55:00 nicolas vigier wrote:
>> On Wed, 10 Nov 2010, Luca Berra wrote:
>
>> > 2) Accountability. No idea in France, but here system administratros
>> > need to be accounted (*).
>> 
>> When someone runs "sudo su -" or something equivalent there is no
>> accountability on what he did after that.
sure, except the fact itself :P

>Don't ever give blanket unaudited sudo. For editing files, provide sudoedit 
>rules. For commands that can not be specified in advance:

note that current sudo has a bug regarding wildcards,

http://www.gratisoft.us/bugs/show_bug.cgi?id=449

>(this one requires a bit of setup, but is superior)
># urpmi eash
>
>or consider sudosh (but, it only logs locally, so I didn't package it).

newer sudo implement the logging functionality, so sudosh is no longer
needed

as for the local log only with sudosh i had implemented by making it log
on an nfs share (with root_squash), thus preventing admins on nfs client
to muck with the logs.

i will look at EAS tough, seems interesting.


-- 
Luca Berra -- bluca at vodka.it


More information about the Mageia-sysadm mailing list