I think you are pretty much screwed if you want to give someone root
access and effectively track the user without him knowing. If you use
sudo then you are letting him know you are tracking him; any unauthorized
action is usually log'd with sudo. If you are giving him root priviledge
you are letting him do *whatever* he wants to do. You may want to
consider having him login with root's priviledges into a chroot
environment. If you can have the log kept outside of the chroot
environment you may be able to mask the file from him (assuming he doesn't
detect the logging mechanism).
I think the previous reply involving sudo is your best bet. I would
personally want to know what all is going to be muck'd with and be sure
that the user is qualified to work on the system. Sure, you are losing
the element of surprise, but you are gaining confidence in other areas.
Not to mention the knowledge of big brother could be enough to fend off
any unscrupilous behavior. In case you have not used sudo before, be
sure not to give root priv. to programs like vi. I do not mean text
editors :). I mean programs that give shell access. You just type
":shell" in vi as root and you conjure up a new environment with which
you have god'esque powers.
Zach Shay
On Tue, 28 Sep 2004, Jonathan C. Detert wrote:
Hello,
I need to give a vendor shell access to a freeBSD system I run,
and worse yet, I need to give them root access.
I want to know everything the vendor does while logged in.
I'm thinking of making the vendor's login shell be
'script -q -a <somefilename>'
but :
a) i don't want the vendor to be able to delete the logfile
b) it would be nice if the vendor wouldn't know his activity was being
logged
Does anyone have a better suggestion for me than to use script?
Does anyone have an idea how to address points a) and b) ?
Thanks
--
Happy Landings,
Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202
