[Mageia-sysadm] Usernames, uids, and groups
Luca Berra
bluca at vodka.it
Wed Nov 10 18:04:29 CET 2010
On Wed, Nov 10, 2010 at 01:32:47PM +0100, Michael Scherer wrote:
>Le mercredi 10 novembre 2010 à 11:55 +0100, nicolas vigier a écrit :
>> On Wed, 10 Nov 2010, Luca Berra wrote:
>>
>> > 2) Accountability. No idea in France, but here system administratros
>> > need to be accounted (*).
>>
>> When someone runs "sudo su -" or something equivalent there is no
>> accountability on what he did after that.
>
>Even more cunning, emacs or vim can run process ( except that vim has a
>mode where it can prevent it with -Z, do not know for emacs ).
it is better to use sudoedit for editing files, it will copy the
original file to a temporary copy, revert to caller uid, let user edit
the file, and move it into place afterwards.
another options is using noexec (sudo will preload a shlib overriding
exec calls)
L.
--
Luca Berra -- bluca at vodka.it
More information about the Mageia-sysadm
mailing list