Apache and suexec issue that wont let me run my python script
Heiko Wundram
modelnine at modelnine.org
Wed Jun 5 07:37:28 EDT 2013
Am 05.06.2013 13:19, schrieb Νικόλαος Κούρας:
> Is there some logging utility i can use next time iam offering root access to someone(if i do it) or perhaps logging a normal's account activity?
Short answer: Not for root, no.
Long answer: as I've already said: root can change file contents, or
more explicitly _any_ system state, and (s)he can do that at will, and
as such you can't ever be sure that what any form of logging is telling
you will be the "truth" in some form or another if you've had a
malicious root user on your system.
Now: think again why it's such a plain stupid and incredibly bad idea to
hand out root credentials to people you shouldn't trust, and why people
(like me) keep telling you that you're naive and a fool to even consider
handing out root logins.
PS: the same is true for normal logins. You don't know whether some form
of privilege escalation exists on your system, so even by handing out
supposedly safe non-root accounts, your installation might get
compromised due to insecure SUID software or due to privilege escalation
bugs in the kernel.
--
--- Heiko.
More information about the Python-list
mailing list