[Server-devel] "Administrative" login for political reasons

Anna aschoolf at gmail.com
Wed Jan 19 21:01:00 EST 2011 

I think enough time has passed that I can write this up in case anyone else
runs into this situation.  Back when I was tussling with a school IT guy, he
demanded "administrative access" to the XSs.  Err, you do realize there is
no GUI whatsoever and all you're going to see is a prompt, right?  He was a
Windows guy and didn't want to admit he had no clue what to do with a CLI
only Linux system.  And got offended when I asked if he had an ssh client.
Well, Mr. Big Shot, here's your precious "admin" access.

I created an "admin" user and set a password.

adduser admin
passwd admin

I use passwords for ssh, but do run it on a nonstandard port, deterring the
script kiddies.

Having previously installed and set up ssmtp so the XSs could send me emails
via gmail, I edited /home/admin/.bashrc

echo 'Login Alert on' `hostname` `who -m` | mail -s "Login Alert"
me at gmail.com

Being of a nosy disposition, particularly when it comes to what's going on
with my systems, I set it up to quietly log everything he did with this line
in /home/admin/.bash_profile

script -q /var/log/sessions/login-`date +%m-%d-%Y-%Hh-%Mm-%Ss`-`whoami`.log
&& exit

Created and set permissions to a dir in /var/log that looks innocuous:

mkdir /var/log/sessions
chmod 777 /var/log/sessions

And just in case he reads something on the internet, here's some sudo rope
to hang himself with.  I can install and customize an XS in under an hour,
so whatever if he breaks it.  I was actually really looking forward to
pulling logs to prove he was out of his league.

visudo and then add an entry for admin under root.

## Allow root to run any commands anywhere
root    ALL=(ALL)     ALL
admin   ALL=(ALL)    ALL

The hilarious bit was he claimed he logged into all my XSs and said
everything looked OK.  What?  I didn't get a single email notification and
/var/log/sessions was empty.  I checked /var/log/secure just to be
absolutely sure.  What a pompous liar.  And a liar who didn't know better
than to lie to someone who could prove it via system logs.

So that's my workaround for ignorant people who demand "admin" access.

Anna Schoolfield
Birmingham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20110119/73ccf770/attachment-0001.htm

More information about the Server-devel mailing list