[Server-devel] "Administrative" login for political reasons

Sameer Verma sverma at sfsu.edu
Thu Jan 20 22:07:00 EST 2011 

On Wed, Jan 19, 2011 at 6:01 PM, Anna <aschoolf at gmail.com> wrote:
> I think enough time has passed that I can write this up in case anyone else
> runs into this situation.  Back when I was tussling with a school IT guy, he
> demanded "administrative access" to the XSs.  Err, you do realize there is
> no GUI whatsoever and all you're going to see is a prompt, right?  He was a
> Windows guy and didn't want to admit he had no clue what to do with a CLI
> only Linux system.  And got offended when I asked if he had an ssh client.
> Well, Mr. Big Shot, here's your precious "admin" access.
>
> I created an "admin" user and set a password.
>
> adduser admin
> passwd admin
>
> I use passwords for ssh, but do run it on a nonstandard port, deterring the
> script kiddies.
>
> Having previously installed and set up ssmtp so the XSs could send me emails
> via gmail, I edited /home/admin/.bashrc
>
> echo 'Login Alert on' `hostname` `who -m` | mail -s "Login Alert"
> me at gmail.com
>
> Being of a nosy disposition, particularly when it comes to what's going on
> with my systems, I set it up to quietly log everything he did with this line
> in /home/admin/.bash_profile
>
> script -q /var/log/sessions/login-`date +%m-%d-%Y-%Hh-%Mm-%Ss`-`whoami`.log
> && exit
>
> Created and set permissions to a dir in /var/log that looks innocuous:
>
> mkdir /var/log/sessions
> chmod 777 /var/log/sessions
>
> And just in case he reads something on the internet, here's some sudo rope
> to hang himself with.  I can install and customize an XS in under an hour,
> so whatever if he breaks it.  I was actually really looking forward to
> pulling logs to prove he was out of his league.
>
> visudo and then add an entry for admin under root.
>
> ## Allow root to run any commands anywhere
> root    ALL=(ALL)     ALL
> admin   ALL=(ALL)    ALL
>
> The hilarious bit was he claimed he logged into all my XSs and said
> everything looked OK.  What?  I didn't get a single email notification and
> /var/log/sessions was empty.  I checked /var/log/secure just to be
> absolutely sure.  What a pompous liar.  And a liar who didn't know better
> than to lie to someone who could prove it via system logs.
>
> So that's my workaround for ignorant people who demand "admin" access.
>
> Anna Schoolfield
> Birmingham
>
> _______________________________________________
> Server-devel mailing list
> Server-devel at lists.laptop.org
> http://lists.laptop.org/listinfo/server-devel
>
>

You are hilariously evil >8-)~

cheers,
Sameer

More information about the Server-devel mailing list