[Mageia-sysadm] Usernames, uids, and groups

Wed Nov 10 18:25:38 CET 2010

On Wed, 10 Nov 2010, Luca Berra wrote:
+
+> On Wed, Nov 10, 2010 at 01:32:47PM +0100, Michael Scherer wrote:
+>> Le mercredi 10 novembre 2010 à 11:55 +0100, nicolas vigier a écrit :
+>>> On Wed, 10 Nov 2010, Luca Berra wrote:
+>>>
+>>> > 2) Accountability. No idea in France, but here system administratros
+>>> > need to be accounted (*).
+>>>
+>>> When someone runs "sudo su -" or something equivalent there is no
+>>> accountability on what he did after that.
+>>
+>> Even more cunning, emacs or vim can run process ( except that vim has a
+>> mode where it can prevent it with -Z, do not know for emacs ).
+>
+> it is better to use sudoedit for editing files, it will copy the
+> original file to a temporary copy, revert to caller uid, let user edit
+> the file, and move it into place afterwards.
+
+Unless the list of files you are allowed to edit is very limited, it is
+very easy to open a root shell by editing a config file.
+
+> another options is using noexec (sudo will preload a shlib overriding
+> exec calls)
+
+But you have an editor running as root, and you can then edit any file.
+
+