From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N9dsk-0000ru-2O for garchives@archives.gentoo.org; Sun, 15 Nov 2009 12:07:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B026DE0B26 for ; Sun, 15 Nov 2009 12:07:01 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.144]) by pigeon.gentoo.org (Postfix) with ESMTP id 21720E0AEF for ; Sun, 15 Nov 2009 10:53:51 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 4so930753eyg.2 for ; Sun, 15 Nov 2009 02:53:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=BC1uAau8a0sKQVkysXxLIBD6a3MwAomA/y1N3O9nxtE=; b=jXska7NVK0rRio9KAxmpbVyABJfdf8kphJdtUisQn3o6XaMq+pYdLY0664/kgBlMFE Eg10C4gDHViBSkMIdijZo9nYdjt5Bme3lgjgN/uuIKtmWERrizfpfJEiumwjmcyWzgaw NLOHexcg4LR6/SMCt2t9Q9BxbVEbtqVBCW8g8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=nZ8DqLiNjbS5mVU1gQYlimQM52X7gKT8FNiSASVOVWk8tGD1amnIrmvOVixfJ+pNwh 5CCWOZvfC3fexhx7lCmZk8eLFvoPIUVMtrNYJ1i8pXuslKCy8ez+f+gcsB4W0CUHYQti Pk7qOKUQxHeieYt6njrXsCLIv8AcIj9MOOHBM= Received: by 10.216.86.65 with SMTP id v43mr2025260wee.118.1258282430529; Sun, 15 Nov 2009 02:53:50 -0800 (PST) Received: from nazgul.localnet (196-210-153-114-rrdg-esr-2.dynamic.isadsl.co.za [196.210.153.114]) by mx.google.com with ESMTPS id 28sm2545214eye.11.2009.11.15.02.53.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 15 Nov 2009 02:53:49 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Block root user from login on xorg GUI Date: Sun, 15 Nov 2009 12:52:41 +0200 User-Agent: KMail/1.12.90 (Linux/2.6.31-zen7; KDE/4.3.74; x86_64; ; ) References: <200911122001.57860.michaelkintzios@gmail.com> <28BB57B2-61EB-4A5C-97CF-6F6C0D582FE3@stellar.eclipse.co.uk> <20091115085251.4058984d@digimed.co.uk> In-Reply-To: <20091115085251.4058984d@digimed.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200911151252.41474.alan.mckinnon@gmail.com> X-Archives-Salt: f1520f34-45c1-41a5-ad04-58e613aa52e2 X-Archives-Hash: 4dc2038a1d2e47a1d32c2ae720daaf13 On Sunday 15 November 2009 10:52:51 Neil Bothwick wrote: > On Sun, 15 Nov 2009 05:15:43 +0000, Stroller wrote: > > > So when he fucks things up good royal and proper, will he gladly > > > accept his > > > shafting and pay you more to undo it? Or will he do the usual > > > customer stunt > > > and blame you? > > > > My typical experience is that the customer will take it completely on > > the chin and pay me to fix the problems. That doesn't make foul-ups > > due to such unnecessary meddling any less frustrating, though. > > Why not use sudo to give the customer's account almost full root access? > Not only does this allow you to restrict which damaging commands he can > run but sudo logs each command it runs, so you have CYA insurance. Double CYA insurance: Send all logs to a remote syslog server. The user with sudo permissions can still disable logging, but you have untouchable evidence that he did :-) -- alan dot mckinnon at gmail dot com