[sudo-users] SUSE, sudo, nfs, logfile
donald.ritchey at exeloncorp.com
donald.ritchey at exeloncorp.com
Fri Dec 30 14:00:10 EST 2005
Can you do this as root on all the systems?
If not, check your export permissions on the system which serves the file system
and ensure that the /etc/exports file has an entry like the following for the
file system with the sudolog:
-root=0 # maps client superusers to root on all systems
or
-root=hostname[:hostname] # Maps client superusers on only the specified hosts to uid 0;
See your exports(4) manual page for details on your particular flavor of UNIX/Linux.
Now, the flip side of this setting is that each of the systems to which you have
extended root permissions can write here as root. So, a root user on any of
those systems could wipe out your log file. Earlier recommendations to set up remote
syslog logging of sudo activities to a secure syslog server make more sense from
an accountability point-of-view. An alternative is to set this file system to
append-only (if that is an available option) to prevent a log truncation.
When you start opening up holes in your security, even for perfectly valid reasons,
the side-effects are what drive you nuts trying to make things work correctly.
Best wishes,
Don Ritchey
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com]On Behalf Of Todd Olson
Sent: Friday, December 30, 2005 11:15 AM
To: sudo-users at sudo.ws
Subject: RE: [sudo-users] SUSE, sudo, nfs, logfile
=G=
As I said, I have other Linux (and Unix) flavors writing to the same NFS
mount.
I can also echo "text" >> NFS_logfile and it writes.
Todd O
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Exelon Corporation family of Companies.
This e-mail is intended solely for the use of the individual or entity
to which it is addressed. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and attachments
to this e-mail is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please notify the sender immediately and
permanently delete the original and any copy of this e-mail and any
printout. Thank You.
************************************************************************
More information about the sudo-users
mailing list