Re: Enabling telnet, ftp, pop3 for root...



Michael Trausch wrote:

matt_left_coast wrote:

There are ways around the logging. If you give enough sudo rights to be
able to admin the system, the person could write scripts that run as root
and what commands are run in the script would not be logged. Then there
is `sudo bash` and your no better off than `su`. I don't think you'll
find many admins that would be happy if you did not give them access to
shells and editors as root.


The other admins on my system don't get access to a shell. Just the
tools they need. If they need something done that they cannot do, then
they let me know, and I either grant them the ability to do it, or I
handle it myself.

It is a very nice, functional strategy. And, when implemented
correctly, is secure, while retaining log integrity.

You just have to be careful about how you structure the system.

- Mike

I notice that you did not address BOTH the issues I raised. It would be
impossible to admin a system without giving access to an editor as root. In
that case, logging is disabled. Might just as well give them access to a
shell.

--


.



Relevant Pages

  • Re: security breach?
    ... lots of stuff breaks if you're not an admin. ... shell scripts enough to be able to figure it out from what I've written ... but without the secure log. ... didn't work under a user account, and I don't recall exactly where I ...
    (comp.sys.mac.system)
  • Re: umstieg und einstiegs fragen
    ... >>> Bei einem Kontaktformular ist mir ... PHP nichts mit CGI zu tun hat? ... dass der Admin ein paar Standard-Scripts zur Verfügung stellen konnte, ... und der User nur statischen Content, aber keine Scripts installieren ...
    (de.comp.lang.perl.cgi)
  • [[ TH 026 Inc. ]] SA #1 - Multiple vulnerabilities in PVote 1.5
    ... PVote is a PHP voting system. ... A lot of the scripts in the PVote package do not properly check who the ... lets anyone change the Admin password or set it to null. ...
    (Bugtraq)
  • Re: module program
    ... Robert McGraw wrote: ... >that allowed the admin people to set of scripts for certain packages to make ...
    (comp.unix.solaris)
  • RE: [Full-Disclosure] Removing Fired admins
    ... Changing passwords would be a good move. ... and doing a quick scan of scripts just to make sure ... Make sure that everybody knows that the admin is no ... If you are using passwords for remote access then all ...
    (Full-Disclosure)