Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!cadnetix.COM!cadnetix!rusty
From: rusty@cadnetix.COM (Rusty Carruth)
Newsgroups: comp.unix.wizards
Subject: Re: Multiple Root ID's considered evil?
Message-ID: <9560@cadnetix.COM>
Date: 19 Sep 89 22:31:21 GMT
References: <4157@buengc.BU.EDU> <1723@convex.UUCP> <1989Sep13.082607.981@twwells.com> <1738@convex.UUCP> <3812@helios.ee.lbl.gov>
Sender: news@cadnetix.COM
Reply-To: rusty@cadnetix.COM (Rusty Carruth)
Distribution: usa
Lines: 32

In article <3812@helios.ee.lbl.gov> envbvs@epb2.lbl.gov (Brian V. Smith) writes:
>< >... preferring people to log in as 
>< >themselves and su.
>
>< What's the diff?
>
>That way you have an audit trail of people who have su'ed,
>either in /var/log/authlog (SunOs4.0) or /usr/adm/sulog (Ultrix X.X).
>
>Brian V. Smith    (bvsmith@lbl.gov)


However, I would like to remind you that, should someone become root
who wishes to hide that fact, and should /var/log/authlog be someplace
that the root-ed person can touch... well, lets just say that your
log means nothing in this case, since root can go edit that file
and remove the entries.  Or even change them to reference someone
else rather than themselves.

Nope, sorry, but once someone becomes root the logs mean nothing
if that person knows where they are (and how to change them).

I could tell you a long story about this as it relates to the
Univac 1100 series, but then this is 
	comp.UNIX.wizards....
	     ^^^^


---------- 
Rusty Carruth  UUCP:{uunet,boulder}!cadnetix!rusty  DOMAIN: rusty@cadnetix.com
Daisy/Cadnetix Corp. (303) 444-8075\  5775 Flatiron Pkwy. \ Boulder, Co 80301
Radio: N7IKQ    'home': P.O.B. 461 \  Lafayette, CO 80026