[Gllug] SULOG

Jackson, Harry HJackson at colt-telecom.com
Fri Nov 2 11:29:31 UTC 2001 

> -----Original Message-----
> From: David Irvine [mailto:co2cool at yahoo.com]
> 
> On Thu, 2001-11-01 at 18:01, tet at accucard.com wrote:
> > 
> > >The man page is pretty much empty and the info page mentions syslog
> > >but not the sulog. Any one got any ideas?
> > 
> > A simple solution is to rename your su binary to something hidden
> > (e.g., /usr/bin/.foobar), and put a wrapper script in its place
> > that logs each attempt to su and then calls the real (hidden) su
> > binary.
> > 
> > It's not foolproof, and someone might find the hidden binary either
> > by stumbling across it by accident, or by deliberately searching for
> > setuid root files on the whole filesystem. But it'll track 99.9% of
> > all people using su.
> > 
> You could take that a  bit further and write it into the su 
> code so that
> anybody who su's would be  logged.



Or a little easier. Rename su to suid and put the following BASH script in
place of su

#! /bin/bash

echo $HOME >> /tmp/.suid_log

suid

This would be easy to get around though but if they ls the bin directory
they will still see the su command. To get around any funny stuff like them
trying to read it you could always encrypt it using VIM's :X command. The
best way would be to modify su itself as mentioned above.

Harry


**********************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900

This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or 
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message.  Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.


**********************************************************************


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list