topic Re: sudo - for SysAdmins in Operating System - HP-UX

sudo - for SysAdmins

Louis Masucci — Fri, 23 Jun 2000 16:05:36 GMT

I have set up sudo for our users, I want to set it up for our SysAdmins. I have it set up so SysAdmins can run every command but they must type sudo in front of the command. Is there away to allow SysAdmins to run the commands without typing in Sudo in front of every command and still log what command they have run?

thanks ... Lou

Re: sudo - for SysAdmins

Rick Garland — Fri, 23 Jun 2000 17:47:05 GMT

If they have the option to "sudo su -" and become the root user, then they would not have to type the sudo first for subsequent commands - but you will not have those entries put into the sudo.log (these commands are run as root and are not being run as the sudo user). The initial "sudo su -" will go into the sudo.log

If you have setup the configure options to log to sudo.log or syslog.log or both, they will log the sudo commands. Commands not running with sudo are not logged.

You could setup an alias to shorten the sudo, write scripts that input the sudo command first, etc... There are many options available at this point.

I think you may be looking at two different logging capabilities here.

Re: sudo - for SysAdmins

Rick Garland — Fri, 23 Jun 2000 20:38:18 GMT

Had to look through my notes but there is www.courtesan.com site that will help you look for answers. I also have the configure options that were used when I did the build for sudo on HPUX

Give me a holler and I'll provide what info I can.

Re: sudo - for SysAdmins

Alan Riggs — Fri, 23 Jun 2000 20:56:38 GMT

Are you restricting your admins from specific root functions? If not, you could simply disable direct root accss and require them to log into their own accounts before "su"ing to root. Then simply place a script command in the root profile with a script command that hits a different file based on the output of logname.

Re: sudo - for SysAdmins

Evert Jan van Ramselaar — Sat, 24 Jun 2000 13:14:51 GMT

Another option might be giving all sysadmins a user id 0. Used commands are still saved in the users history instead of root's?

Evert Jan

Re: sudo - for SysAdmins

Bill Hassell — Mon, 26 Jun 2000 00:20:44 GMT

I would be very cautious about ever giving other user UID 0. It is far too easy for an ordinary user to make a mistake that would have been protected with a non-root ID. UID 0 is far too powerful to be used casually (as many sysaadmins will attest).

The rule should be: ask if UID 0 is *really* needed. If it is, login as root (never use su, use /usr/bin/su - root) take care of the task and then immediately leave.

Consider also what happens when a non-root user name has UID 0: They leave the company, the super user removes their account and all files owned by that user -- total destruction of HP-UX will result. Oops...