Summary: "Restricted Root"

From: Graham Wood <>
Date: Wed Jul 10 2002 - 05:52:33 EDT
Sorry the summary is late, but I ended up handling other things and managed to 
put this off for a  few days (didn't think I would be able to)

The replies follow, but this is a summary:
1) Bad idea, don't do it.
2) Sudo
3) Bad idea, don't do it.
4) BSM/C2
5) Bad idea, don't do it.
6) Compile up a new shell
7) Bad idea, don't do it.
8) Use the history of the shell.
9) Bad idea, don't do it.

In my case, since I have no right to force anything upon the people in 
question, most of the following answers can't be used (much as I'd love them 
to be).
In fact, someone else is handling this now - it is being made clear that we 
cannot provide ANY form of uptime statements/etc, as well as every other form 
of support being on a 'best endeavour' on this machine - but since it has gone 
quite a long way up the management scale (we pushed back as hard as we could) 
its going through regardless of our objections.

In order of personal preference I think I'd go for the options:
1) sudo
2) recompiled shell, with an understanding that if they run another shell, I 
kill them, and they lose access, and the machine is down for 24 hours while I 
restore from a backup.
3) BSM/C2 logging.

My main objection to the BSM/C2 is that I don't like the idea of (from the 
skim reading I did before someone else took over) every system call passing 
through the logging procedure. *shrug*

Thanks to all,



If they have unrestricted root, i.e., a shell with id 0, they can undo
and hide anything you would setup. If they only need to perform some
actions, you could investigate sudo.
You could try "BSM/C2" auditing; make sure that users must "su" to root
and cannot login directly as root.
If you use a shell with command history you can track their use.
Foe example create another account with uid and gid 0, and give it ksh and
its own home directory.
I'd be inclined to force this.
Or, have a policy of "if you have r00t, then you are 100% responsible
for that machine." and if they insist, you give them r00t for that machine
and hands-off.
I found that the first time they screw up, they will change their demands
and beg you to take it off them. I've done this three times to three different
groups, worked every time. Well, the third group heard about what happened to
the second group and suddenly changed their mind.
This also lets you set up a special shell without risking loss of the root 
thru a typo.  Give prr its own home directory and in there put a .profile
    /usr/bin/script -a /wherever/logstuff
and you'll have a session log.
Check out PowerBroker by Symark software. We use it for a similar purpose to
what you require. It unfortunately costs cash put it is very good.
If you're giving root access out, forget logging. You've got no control over
the system, and the logs can't be guaranteed to be accurate.
Users don't need root privileges. If they run into problems as users, it's
usually because the system isn't configured appropriately.
This is ridiculous. If you have no control over root access, your whole
network is compromised. If you can't sell this fundamental idea to your
management, find another job. They obviously don't know what they're doing.
Sorry I can't provide a panacea. I've been through this same argument a few
times. I feel your pain!
What you want is a SHELL that logs all the commands somewhere ... right ?
Well ... I thing getting bash source code and slightly modifying it will do
the job
This may not be it either, but have you considered giving each user
an "r" login.  These are generally named with an r prepended to their
user name (rdebbie, rrauxon, etc) but with UID of 0.  Since many things
log by username (and not just UID), this gives more logging of activities
than just giving everyone root access.
Alternately, users can use sudo to exec a shell as root, which gives
them full root access but logs the time that they did is, so that it's
somewhat possible to correlate who did what (especially if you have
both tty # and when the user invoked the root shell).  It's harder to
figure out when two or more users invoke a root shell at the same time.
What kind of servers are these?  Production app servers or development 
In either case, if they won't listen to reason (and there are alot of reasons 
why this shouldn't be done) then just give it to 'em.  Forget logging or
restricting or anything else.  And make sure that everyone understands the 
time to
restore these particular machines.
You could use flash to create a quick image of these machines every night so a
restore could be done very quickly, but that's another topic...
And if you want to cover your butt's, you guys use sudo yourselves so all your
commands are logged...these logs can be sent to an nfs server where the 
(I mean users..) don't have root access.
for auditing use the audit system:
see this doc:
If you give somebody root access, he can change everything in the system
(also your RBAC configuration). You will not have any control, because he
could just detect, manipulate or remove all your logging procedures if they
are running on the same system. He could also detect any network traffic, if
some processes send data to another system. And he could install root kits
and other OS manipulation tools.
The way to watch a root user is to do it from an external system. So the
root user of this logged system has no access to your logging processes and
could possible not detect them.
I don't know, how your external root users connect to your system, but if
they use an unencrypted telnet or rlogin connection, you can simply snoop
the network from any system in the networks between both hosts to see every
keystroke they do.
If they use an encrypted connection (e.g. ssh) then it is more complicated,
because ssh is using an end-to-end encryption. Try to install a connection
proxy also called "man-in-the middle" system (see port forwarding in ssh)
if you have an intelligent router, you could also configure it, that it
sends only the ssh connections (port 22) to the proxy and all other
connections directly to the target.
see also
I have used with success the BSM of Solaris (called also c2audit):
Please keep in mind that BSM logs can become very large and detailed, and
if I remind correctly the default option is to lock the system if the space
of the partition for the logs become full (concept: security is most
important than availability).
I think the only big true problem for you about c2audit is the unability to
send the logs to a remote server in realtime (you can do it only with
NFS/CacheFS, but a malicious root can delete or modify them).
Why don't you use the BSM audit system that comes with Solaris?
Certainly they could tamper with the audit logs if they are root.
I don't understand why they have to be "root" when there are numerous
ways to give them whatever "access" they need.
I've seen this question posted to lists before. I'm baffled by it.
People must have some seriously clueless managers. Good luck!
Have you available pacct file.
Execute /etc/rc2.d/acct start
With lastcomm command you can see all command the people are running in your 
you could use syslog to log to another host and don't
give them access to the other host, or turn on full
auditing in the bm_conv module.
Download bash source code. Find spot right before command is
executed. Insert 3 lines of code. What are these 3 lines?
A call to syslog! (openlog, syslog, closelog). 4 lines if
you count #include <syslog.h>. Compile. Drop into place.
Set your syslog.conf's to forward/record the specified priority.
Create a uid 0 user, give him the 'special' shell.
Only caveats are that it doesn't work if the user executes
another shell.
Maybe that will be sufficient to fulfill the unreasonable
demands? sudo is the better option, and you should really
push *hard* for it.

Whomever goes to fight monsters should take care not to become a monster
himself. And when you stare too long into the abyss, the abyss stares back
into you. 
                                                      -Frederick Nietzsche
sunmanagers mailing list
Received on Wed Jul 10 05:56:03 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:48 EST