Re: Enabling telnet, ftp, pop3 for root...



Michael Trausch wrote:

matt_left_coast wrote:

There are ways around the logging. If you give enough sudo rights to be
able to admin the system, the person could write scripts that run as root
and what commands are run in the script would not be logged. Then there
is `sudo bash` and your no better off than `su`. I don't think you'll
find many admins that would be happy if you did not give them access to
shells and editors as root.


The other admins on my system don't get access to a shell. Just the
tools they need. If they need something done that they cannot do, then
they let me know, and I either grant them the ability to do it, or I
handle it myself.

It is a very nice, functional strategy. And, when implemented
correctly, is secure, while retaining log integrity.

You just have to be careful about how you structure the system.

- Mike

I notice that you did not address BOTH the issues I raised. It would be
impossible to admin a system without giving access to an editor as root. In
that case, logging is disabled. Might just as well give them access to a
shell.

--


.