Would it be possible that when a normal user logs in to root via su command an email notification will be sent?
Asked
Active
Viewed 1,838 times
3
IMB
- 5,415
- 23
- 80
- 109
-
Why are your normal users allowed to even execute `su`? At least on my system every user that wants to use `su` needs to be in `wheel`. – Baarn Aug 05 '12 at 12:23
-
3The approach is bad, any user who becomes root via `su` can also remove such an email notification. Your users should only be allowed to execute a very small set of commands as root, and only using `sudo`. Use the `/etc/sudoers` file to configure it accordingly (see the sudoers manpage). – speakr Aug 05 '12 at 12:31
-
@speakr Well my plan is only one normal user will be given root, I want to do this just to prevent brute forcing root. So direct root is disabled and that single normal user must use `su` – IMB Aug 05 '12 at 12:41
-
Define "brute forcing root". Then explain how this will prevent it. – Fran Aug 05 '12 at 15:54
-
@fran SSH brute force attack. I already have my SSH on different port as well as blocking failed login attempts but a little more security like this won't hurt. How this works is, in case the brute-forcer finds out the port, he will still have to know the username because root is disabled. – IMB Aug 05 '12 at 16:34
-
@IMB So did you mean to write `ssh` instead of `su` in your question? I don't see how your explanation has anything to do with `su`. – Fran Aug 05 '12 at 16:38
-
@Fran No. Well when the username logs in to SSH he then use `su` instead direct root. – IMB Aug 05 '12 at 16:59
1 Answers
0
A solution would be creating a script which sends an email and executes a shell:
#!/bin/bash
echo "sudo was used" | mail -s "sudo notification" your@mailaddress
exec bash
Be sure to protect this script against any access from unprivileged users (see the lower part of this answer)!
Then force privileged user joe to execute the script via restrictive sudo permissions.
An example for /etc/sudoers:
joe ALL = (root) /absolute/path/to/your/script.sh
Now joe can call sudo /absolute/path/to/your/script.sh and gets a root shell while you are notified.
However, be aware that once joe gets the root shell he owns your system, i.e. nothing keeps him from modifying your script, the sudoers file, and so on.
