[sudo-users] Logging all commands after a user has sudo'ed to another userid

Russell Van Tassell russell+sudo-users at loosenut.com
Wed Oct 8 14:08:18 EDT 2008

On Wed, Oct 08, 2008 at 11:56:33AM -0400, Maguire, Jean (GE, Corporate) wrote:
> Just say I create a special group that allows my users to do a #sudo su
> - oracle.  Is there a way for me to log all commands executed while they
> were sudo'ed to oracle id?

Simple answer: No
Slightly longer answer: Maybe
Longer answer: Why?

There are other tools/utilities out there to do this, such as OSH (a
restricted "operator's" shell).  Sudo isn't a shell utility, but a
simple and secure way to give folks elevated privileges for a list of
very specific commands across a wide distribution, all while maintaining
an audit trail log integrity of what was done (ideally while NOT
potentially leaving a root shell open).

Yes, it can be abused by simply allowing "sudo su" -- but really, that's
one of the things (IMO) you should strive to shut off and, instead, try
to force more of a cultural change within the organization of using sudo
in front of *every* command where the elevated privilege is needed...
for something like oracle, why not something such as:

% sudo -u oracle sqlplus

(obviously this list is a lot longer)

As was just said here only a day or so ago... rather than granting broad,
all-encompassing privileges you should work to identify individual tools
and commands where elevated privilege is necessary, and grant THOSE
instead.  Really, allowing by allowing things like "su," it's really not
much better than just distributing the password (since there's nothing
really to prevent folks from something like "sudo su - user; passwd" or
any of a number of other things).

Russell M. Van Tassell
russell at loosenut.com

"Never sweat the petty things... and never pet the sweaty things"

More information about the sudo-users mailing list