On Feb 5, 2008, at 2:04 PM, Josh Welch wrote: > Quoting Eric F Crist <ecrist at secure-computing.net>: > >>> >>> Yes, sudo logs all commands that are run through it. su doesn't. >> >> >> This is slightly misguided. Even with sudo, you can sudo su <user> >> and where the su to <user> will be logged, anything done while su'd >> is >> not logged. Only commands invoked directly with sudo are logged. In >> this case, logging is no better than it is with su. >> > > Note that the proper approach here would be to simply disallow doing a > sudo to su if you're on a multi-user system where such things matter. > One of the nice things about sudo is that you can specify with a fair > degree of granularity what users are allowed to issue what commands as > the superuser. Hardly a work-around as I could execute sudo <favorite_shell_here>. It really boils down to a couple of options: 1) You trust your users, give them sudo access. 2) You don't trust your users, don't give them sudo access. 3) You don't trust your users, give them a limited set of commands. * With this, I would recommend a 'take it all away' and give them what they need approach. HTH ----- Eric F Crist Secure Computing Networks