[unisog] root level access policies?

Alan Amesbury amesbury at oitsec.umn.edu
Mon May 9 17:06:21 GMT 2005

Chris Crowley wrote:

>> We use sudo for all root access, but wish we could keep a log of commands
>> issued when the user runs:
>> sudo csh
>> and then works in the new shell as root. sudo only logs the "csh"
>> command,
>> not the commands to the shell itself.
> You should take away the privilege of executing a new shell as root.
> "sudo" provides granular control, and can prevent the execution of
> certain commands.

Note that a configuration like

    user         ALL = (ALL) ALL !SHELLS

at best helps keep honest users honest, and does NOT provide much in the
way of security.  The usual way of bypassing this is something like
(real-world example from a large financial services company):

    % cp /bin/sh /tmp/blah
    % sudo /tmp/blah
    Password: ********

'sudo' is most effective as a security control when you explicitly allow
only those commands needed.  Using an "everything but..." config is
much, MUCH harder to control.  While this might seem obvious, I've found
too many instances where people seemed to forget about it (such as in
the aforementioned financial services company).

As for the original thread.....  Speaking about the group with which I
work, our policy is that those who have an explicit, business need for
root access generally get it in one form or another.  We do limit its
use through 'sudo', including use of the relatively new "NOEXEC" option;
editors and pagers which have been specifically compiled without shell
escapes; and regular, thorough auditing of who's been using 'sudo' to do
what, particularly on our more sensitive hosts.  We also try very hard
to avoid sinking into the morass of the "blame game," i.e., we usually
use the logs to determine *what* went wrong if a 'sudo'-driven command
is suspected of causing problems, without focusing on *who* was driving
the keyboard at the time.

In addition to using a fairly well-controlled 'sudo' configuration, we
also periodically self-audit our own access and give up that which we
don't actually need.  Root passwords for hosts are rarely (ever?) given
to anyone not directly responsible for maintaining a particular host,
are fairly complex (none is less than eight characters), and get changed

Alan Amesbury
University of Minnesota

More information about the unisog mailing list