From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-98335-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1MWZl2-0006FO-Ka
	for garchives@archives.gentoo.org; Thu, 30 Jul 2009 17:49:36 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AE8A7E085D;
	Thu, 30 Jul 2009 17:49:35 +0000 (UTC)
Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172])
	by pigeon.gentoo.org (Postfix) with ESMTP id 8D98AE085D
	for <gentoo-user@lists.gentoo.org>; Thu, 30 Jul 2009 17:49:35 +0000 (UTC)
Received: by vws2 with SMTP id 2so1025vws.29
        for <gentoo-user@lists.gentoo.org>; Thu, 30 Jul 2009 10:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=seOpa02Cdk9OAwZ7zPRuLrN2fqCjJ3h22C7Ub0aepc4=;
        b=Emg6uFXJxckSgWzzue0AFufKOaCSBk3eTYqmKjar8bEKZt/Ls5ApnED9zXCwAJJJ1u
         361U6q1oTnA107HnRzMSL/Fz2f5txcD3dEWFXcBbsKe3TU6vtIfDax22ceGTldu1gFjn
         CtbwpYDWWpTo13Y0DkAcSGGWoMLq0HrpSLwoc=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=FJrPWVhxvVU03nf8UWQTgs0H61kU5tmOPMkHw57RL4ySLglK71CYqFeD5x7XaxkqLN
         K5Awjqr2Y6MixaTaA/3ugrQJVsP1YMzxtGmVF909uOq3CaZxpjVOoYm2AIN9npdS1xtt
         Lcwu26H/mk8cu4vCi7o8C0tdlCbnrrbTJMPG0=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.220.86.71 with SMTP id r7mr1760026vcl.89.1248976170877; Thu, 
	30 Jul 2009 10:49:30 -0700 (PDT)
In-Reply-To: <4A71B64D.9070201@litrixlinux.org>
References: <4A71B64D.9070201@litrixlinux.org>
Date: Thu, 30 Jul 2009 13:49:30 -0400
Message-ID: <c30988c30907301049i692dec95obde74a0c8aed8b9c@mail.gmail.com>
Subject: Re: [gentoo-user] How send mail when user login on ssh or local ?
From: Joshua Murphy <poisonbl@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 5e91e4c2-75f3-4c0d-8dd2-065a39744ed9
X-Archives-Hash: eb626c987d43b2c182b00d69d4e76c3c

2009/7/30 Vagner Rodrigues <vagner@litrixlinux.org>:
>
>
> Hi Folks !
>
>
> =C2=A0Somebody =C2=A0know how I to =C2=A0so send mail with =C2=A0IP and D=
ate/time =C2=A0when same
> user login on shell =C2=A0( remote or local ) ?
>
> I work with another admin's =C2=A0and I never told me =C2=A0when they acc=
ess and
> for what =C2=A0my server =C2=A0to do something, =C2=A0I try log but this =
can be erased
> and maybe mail can help me about access and with this I can Ask about
> this access.
>
>
>
>
>
>
>
> --
>
> Esta mensagem foi verificada pelo sistema de antiv=C3=ADrus e
> =C2=A0acredita-se estar livre de perigo.

Well, all questions regarding the reasons you'd be giving root privs
to someone you don't entirely trust aside... the quick and dirty
approach I can think of would be to modify the system wide
/etc/profile to check uid and send an email if a given uid is logged
in. In the end, there's little to no way I'm aware of to guarantee
being alerted about use once someone's being handed root privileges.

If you do go about setting it up that way... OpenSSH sets variables[1]
regarding the session (IP and such) and those can be used to identify
that. The `tty` command[2] can be used to tell you whether the access
is direct physical access to the system's virtual consoles or not. You
could even bypass dependency on the local system having working mail
configuration and such if you have an smtp server off-host you can
send through by using netcat. A Windows variation[3] I found of the
same principle idea does just that. And, lastly, if you use sudo you
can leverage its own auditing capabilities to know when it's being
used[4].


[1] For example:
SSH_CLIENT=3D127.0.0.1 44681 22
SSH_TTY=3D/dev/pts/1
SSH_CONNECTION=3D127.0.0.1 44681 127.0.0.1 22
Which are of the form:
SSH_CLIENT=3D<client ip> <client port> <server port>
SSH_TTY=3D<local tty or pty>
SSH_CONNECTION=3D<client ip> <client port> <server ip> <server port>

[2] http://swoolley.org/man.cgi/tty

[3] http://community.spiceworks.com/how_to/show/225

[4] http://www.cyberciti.biz/faq/sudo-send-e-mail-sudo-log-file/

--=20
Poison [BLX]
Joshua M. Murphy
"Real programmers can write assembly code in any language." - Larry Wall