Re: any way to track commands of a user logged in through ssh


Jeremiah DeWitt Weiner wrote:
iforone <floydstestemail@xxxxxxxxx> wrote:
(Please trim your followups; it's not necessary to include the whole
text of what you were replying to)

whooops... -- stupid gaga google interface didn't let me see the sig
that I had forgotten to remove. I usually do "ok" with trimming ;-)
....(not to mention I was in a huge hurry this morning).

I just ran (for ex;) as a regular User;
~$ sudo hdparm -i /dev/hdc
Right After that, within the same Shell (Bash) - I ran
~$ su -
I was immediately prompted for (root) password

That's normal.

Yeah, I know

Yes, this is how sudo works. If you run 'sudo mycommand', it
applies _to that command only_.

Understood - thanks for clarifying

Now, I realize the drawback of this is that ANYONE can just type/prefix
the command they want to run with 'sudo', and they can run *that*
command only

Why is that a drawback? That's how sudo works... I mean, it
doesn't have to be "anyone"; it's "whatever users you put in
/etc/sudoers".

What I had forgotten is that; "whomever" tries to run sudo, 'First'
atleast needs to be a logged in as a user (meaning a verifiable passwd
too). Disregarding (for my situation as it is now) remote logins using
FTP, TElnet, etc, clear text over the network, etc. So I see why it's
good the way I have it. Yet, these are 'real-world' issues for many,
especially the OP, as it pertains to his/her situation.

username ALL= NOPASSWD: ALL

I don't usually like NOPASSWD,

Well, I understand, but in my situation (only person with physical
access), I'll be darned if I'm going to type a 'passwd' in *everytime*
I use/run a Shell command that requires 'root' privileges...Especially
since I'm just realizing *which* apps (system admin, etc) actually
require it (for alteration), though most apps allow for READ only for
the average user.

but if you're the only one who has
access to the system, it's not as bad.

Precisely as I had thought - thanks again for clarifying, reinforcing

Just keep in mind that it means
that anyone who gets access to your account effectively has root
privileges even if they don't know your password.

Understood......and thanks

So what do you think about creating a separate 'group' for certain
users, as it pertains to the OP's original question? I'm still trying
to grasp the full power available in separating/grouping using
Groups/Users and Permissions (even ACLs, 'mount' options, and
encryption using loop devices, etc). It's slowly sinkin' in ;-)

Regards

.

Relevant Pages

  • Re: Apple recommending anti-virus software for Macs?
    ... > To be ultra-safe with the 'rm' command, ... Not a bad idea for root, It would drive me nuts in my user account. ... downloads directory and executing it. ... That I type an EOF is a trivial difference versus 'sudo' exiting ...
    (comp.sys.mac.system)
  • Re: [kde] su identification
    ... assumes that you wish to invoke the root account and will demand Root ... A user may ONLY sudo as allowed in the /etc/sudoers ... allowing a command with any parameters ... This config allows my normal user to do whatever he'd normally be able to ...
    (KDE)
  • Re: Clams.....
    ... either by su> password> Kate, ... running in root. ... have you set up sudo? ... the command sudo gedit /etc/filename would ask for the user ...
    (Fedora)
  • Re: [opensuse] Re: Should openSUSE review its Security Policies?
    ... We are defining 'command' differently. ... When discussing root permissions, I define commands at the OS level. ... sudo lets me run a complete binary application as a different user. ...
    (SuSE)
  • Re: cups
    ... root or user passwords or any word or ... eventually find info on The lppasswdcommand. ... you need a separate pw for CUPS. ...
    (alt.os.linux.suse)