[sudo-users] SUSE, sudo, nfs, logfile

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Fri Dec 30 14:00:10 EST 2005

Can you do this as root on all the systems?

If not, check your export permissions on the system which serves the file system
and ensure that the /etc/exports file has an entry like the following for the 
file system with the sudolog:

-root=0  # maps client superusers to root on all systems


-root=hostname[:hostname]   # Maps client superusers on only the specified hosts to uid 0;

See your exports(4) manual page for details on your particular flavor of UNIX/Linux.

Now, the flip side of this setting is that each of the systems to which you have 
extended root permissions can write here as root.  So, a root user on any of 
those systems could wipe out your log file.  Earlier recommendations to set up remote
syslog logging of sudo activities to a secure syslog server make more sense from
an accountability point-of-view.  An alternative is to set this file system to 
append-only (if that is an available option) to prevent a log truncation.

When you start opening up holes in your security, even for perfectly valid reasons,
the side-effects are what drive you nuts trying to make things work correctly.

Best wishes,

Don Ritchey

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com]On Behalf Of Todd Olson
Sent: Friday, December 30, 2005 11:15 AM
To: sudo-users at sudo.ws
Subject: RE: [sudo-users] SUSE, sudo, nfs, logfile


As I said, I have other Linux (and Unix) flavors writing to the same NFS
I can also echo "text" >> NFS_logfile and it writes.

Todd O

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.

More information about the sudo-users mailing list