From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N9fls-00038N-AL for garchives@archives.gentoo.org; Sun, 15 Nov 2009 14:08:04 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A1DF2E0A88 for ; Sun, 15 Nov 2009 14:08:03 +0000 (UTC) Received: from mail.digimed.co.uk (82-69-83-178.dsl.in-addr.zen.co.uk [82.69.83.178]) by pigeon.gentoo.org (Postfix) with ESMTP id 4ED2FE09B0 for ; Sun, 15 Nov 2009 13:37:51 +0000 (UTC) Received: from digimed.co.uk (majikthise.digimed.co.uk [192.168.1.2]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.digimed.co.uk (Postfix) with ESMTPSA id A07EB4C1EDF for ; Sun, 15 Nov 2009 13:37:50 +0000 (GMT) Date: Sun, 15 Nov 2009 13:37:41 +0000 From: Neil Bothwick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Block root user from login on xorg GUI Message-ID: <20091115133741.601d0f24@digimed.co.uk> In-Reply-To: <200911151252.41474.alan.mckinnon@gmail.com> References: <200911122001.57860.michaelkintzios@gmail.com> <28BB57B2-61EB-4A5C-97CF-6F6C0D582FE3@stellar.eclipse.co.uk> <20091115085251.4058984d@digimed.co.uk> <200911151252.41474.alan.mckinnon@gmail.com> Organization: Digital Media Production X-Mailer: Claws Mail 3.7.3cvs13 (GTK+ 2.18.3; i686-pc-linux-gnu) X-GPG-Fingerprint: 7260 0F33 97EC 2F1E 7667 FE37 BA6E 1A97 4375 1903 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/00FGUChsV7cLFZltCa124oh"; protocol="application/pgp-signature" X-Archives-Salt: a2b348c7-def6-49a7-869f-687aa7caa29e X-Archives-Hash: b84016662a56423a4d746f0ecd2b7b2d --Sig_/00FGUChsV7cLFZltCa124oh Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 15 Nov 2009 12:52:41 +0200, Alan McKinnon wrote: > > Why not use sudo to give the customer's account almost full root > > access? Not only does this allow you to restrict which damaging > > commands he can run but sudo logs each command it runs, so you have > > CYA insurance. =20 >=20 > Double CYA insurance: >=20 > Send all logs to a remote syslog server. The user with sudo permissions > can still disable logging, but you have untouchable evidence that he > did :-)=20 That's one approach. The other is to give sudo access only for what he needs, which doesn't include disabling logging or many other things. --=20 Neil Bothwick Top Oxymorons Number 39: Almost exactly --Sig_/00FGUChsV7cLFZltCa124oh Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) iEYEARECAAYFAksABCsACgkQum4al0N1GQOz8ACgzM8226aTw5c8dFq+/gL0yaq6 5dEAn3UX79RyEvJEh8FAO1/2FL5ytdRF =7bHx -----END PGP SIGNATURE----- --Sig_/00FGUChsV7cLFZltCa124oh--