[SunHELP] Locking down root

Mon Aug 13 07:01:43 CDT 2001

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C123EF.B82F5470
Content-Type: text/plain

If not mistaken, I think SUDO also can do some logging which would 
give your manager the info on who is doing what.

Dennis L. Lund

-----Original Message-----
From: David Ledger [mailto:dledger at ivdcs.demon.co.uk]
Sent: Friday, August 10, 2001 11:49 PM
To: sunhelp at sunhelp.org
Subject: Re: [SunHELP] Locking down root

A couple of people mentioned sudo without pointing out how it solves 
the problem.

To give root (or any other) access, sudo asks for the user's password 
to prove who the user is.  That way, once you are configured into 
sudo you can get the boss to set root's passwd and keep it in their 
safe.   That way they _know_ nobody logs in as root and it's them who 
has to come out at 3am to give you the root passwd when you need it.

David

-- 
David Ledger - Freelance Unix Sysadmin in the UK.
Chair of SysAdmin SIG of HP/Works technical user group
dledger at ivdcs.co.uk (also dledger at ivdcs.demon.co.uk)
www.ivdcs.co.uk
_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp

<html>
<body>
<font size="3" face="Times New Roman"><span style="mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">
- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -
<span style="font-size:10.0pt;font-family:Times New Roman;
mso-fareast-font-family:"Times New Roman";mso-ansi-language:EN-US;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA"></span><font face="Times New Roman" size="3"><span style="mso-fareast-font-family:Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">This e-mail and any attachments may contain information which is confidential, proprietary, privileged or otherwise protected by law. The information is solely intended for the named addressee (or a person responsible for delivering it to the addressee). If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer.</span></font></p>
</body>
</html>

------_=_NextPart_001_01C123EF.B82F5470
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2654.45">
<TITLE>RE: [SunHELP] Locking down root</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>If not mistaken, I think SUDO also can do some logging wh=
ich would </FONT>
<BR><FONT SIZE=3D2>give your manager the info on who is doing what.</FONT>
</P>

<P><FONT SIZE=3D2>Dennis L. Lund</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: David Ledger [<A HREF=3D"mailto:dledger at ivdcs.demo=
n.co.uk">mailto:dledger at ivdcs.demon.co.uk</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, August 10, 2001 11:49 PM</FONT>
<BR><FONT SIZE=3D2>To: sunhelp at sunhelp.org</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [SunHELP] Locking down root</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>A couple of people mentioned sudo without pointing out ho=
w it solves </FONT>
<BR><FONT SIZE=3D2>the problem.</FONT>
</P>

<P><FONT SIZE=3D2>To give root (or any other) access, sudo asks for the use=
r's password </FONT>
<BR><FONT SIZE=3D2>to prove who the user is.  That way, once you are c=
onfigured into </FONT>
<BR><FONT SIZE=3D2>sudo you can get the boss to set root's passwd and keep =
it in their </FONT>
<BR><FONT SIZE=3D2>safe.   That way they _know_ nobody logs in as=
 root and it's them who </FONT>
<BR><FONT SIZE=3D2>has to come out at 3am to give you the root passwd when =
you need it.</FONT>
</P>

<P><FONT SIZE=3D2>David</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>David Ledger - Freelance Unix Sysadmin in the UK.</FONT>
<BR><FONT SIZE=3D2>Chair of SysAdmin SIG of HP/Works technical user group</=
FONT>
<BR><FONT SIZE=3D2>dledger at ivdcs.co.uk (also dledger at ivdcs.demon.co.uk)</FO=
NT>
<BR><FONT SIZE=3D2>www.ivdcs.co.uk</FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>SunHELP maillist  -  SunHELP at sunhelp.org</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.sunhelp.org/mailman/listinfo/sunhe=
lp" TARGET=3D"_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A></=
FONT>
</P>

<CODE><FONT SIZE=3D3><BR>
<BR>
<html><BR>
<body><BR>
<font size=3D"3" face=3D"Times New Roman"><span style=3D"mso-fareast-font-f=
amily: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-=
US; mso-bidi-language: AR-SA"><BR>
- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -<BR>
<span style=3D"font-size:10.0pt;font-family:Times New Roman;<BR>
mso-fareast-font-family:"Times New Roman";mso-ansi-language:EN-US=
;mso-fareast-language:<BR>
EN-US;mso-bidi-language:AR-SA"></span><font face=3D"Times New Roman" size=
=3D"3"><span style=3D"mso-fareast-font-family:Times New Roman; mso-ansi-lan=
guage: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">This e=
-mail and any attachments may contain information which is confidential, pr=
oprietary, privileged or otherwise protected by law. The information is sol=
ely intended for the named addressee (or a person responsible for deliverin=
g it to the addressee). If you are not the intended recipient of this messa=
ge, you are not authorized to read, print, retain, copy or disseminate this=
 message or any part of it. If you have received this e-mail in error, plea=
se notify the sender immediately by return e-mail and delete it from your c=
omputer.</span></font></p><BR>
</body><BR>
</html><BR>
</FONT></CODE></BODY>
</HTML>
------_=_NextPart_001_01C123EF.B82F5470--