Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!rutgers!mcdchg!laidbak!daveb
From: daveb@i88.isc.com (Dave Burton)
Newsgroups: comp.unix.xenix
Subject: Re: Disallow rm'ing your own open file
Message-ID: <1990Feb19.183325.28793@i88.isc.com>
Date: 19 Feb 90 18:33:25 GMT
References: <1990Feb17.190606.22454@gpu.utcs.utoronto.ca>
Sender: usenet@i88.isc.com (Usenet News)
Distribution: na
Organization: Interactive Systems nee Lachman Associates
Lines: 17

In article <1990Feb17.190606.22454@gpu.utcs.utoronto.ca> milan@gpu.utcs.utoronto.ca (Milan Strnad) writes:
|I am trying to put some controls on the "root" account (don't even ask why).
|Currently I have all of root's activity (key strokes, etc.) getting logged
|in a log file.  Unfortunately, this does not prevent the root user from "rm"ing
|the log file, but it does prevent him from modifying it.  File locking does
|not seem to work in this instance.  How can I better ensure the log file
|maintains its integrity?  I'm using SCO Xenix 2.3.2 on a Compaq 386.

You can't. Don't restrict root, restrict access. If you need a semi-privileged
user that can do most, but not all things, create a new notroot account,
change you systems permissions such that access is allowed where needed,
but denied where not. Use the group bits to good advantage.

It is a mistake to try and limit root. It's unrestricted for a reason.
--
Dave Burton
uunet!ism780c!laidbak!daveb