[ubuntu-uk] Creating 'root' account. (sudo, audit trails)
Paul Sladen
ubuntu at paul.sladen.org
Mon Aug 6 18:17:10 BST 2007
On Sun, 5 Aug 2007, Matthew Wild wrote:
> On 8/5/07, Chris Rowson <christopherrowson at gmail.com> wrote:
> > On Sun, 5 Aug 2007, Paul Sladen wrote:
> > > sudo grep '[s]udo' /var/log/auth.log
> > Well, if you're computer still works eh ;-)
> How do you get around sudo -i or sudo bash?
The best solution is to not use "sudo su/sudo -i/sudo -s/sudo bash"...
Using 'sudo' proactively is social issue---eg. "please, please use sudo for
everyone's continued sanity". Social issues are _not_ best solved by
technical means; if somebody really wants to exercise their power, they can
use "(recovery mode)", insert a LiveCD, or remove the hard-drive entirely.
You can do the following in '/etc/sudoers':
%admin ALL=(ALL) ALL, !/bin/su, !/bin/bash
and I do have the above config on machines, but the line is only there as a
reminder to everyone that 'sudo' should be used one-command-at-a-time.
Life is not about getting *around* sudo, life is about using sudo to your
advantage; even when I do end up at a root prompt, I still do a 'sudo'
before each priviliged command I run and also leave little debugging
comments like "sudo echo 'about to try to delete xyz from the passwd db'".
-Paul
--
Why do one side of a triangle when you can do all three. Helsinki, FI
More information about the ubuntu-uk
mailing list