logging of root logins

Arthur de Jong arthur at West.NL
Fri Nov 9 02:02:05 EST 2001


On Thu, 8 Nov 2001, Markus Friedl wrote:
> hm, i don't think uid sharing is a standard unix feature.

I agree that it's not a very nice thing to do but I know several
organisations that use several ROOT accounts. It's nice to have several
passwords to access ROOT priviliges. (I know sudo or similar is better but
not as convenient).

> however, i think that we should drop this:
>
> 	authlog("%s %s for %s%.100s from %.200s port %d%s",
> 	    authmsg,
> 	    method,
> 	    authctxt->valid ? "" : "illegal user ",
> 	    authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user,
> 	    get_remote_ipaddr(),
> 	    get_remote_port(),
> 	    info);
>
> and not print ROOT in caps:
>
> 	authlog("%s %s for %s%.100s from %.200s port %d%s",
> 	    authmsg,
> 	    method,
> 	    authctxt->valid ? "" : "illegal user ",
> 	    authctxt->user,
> 	    get_remote_ipaddr(),
> 	    get_remote_port(),
> 	    info);
>
> do we really need backward compatibility for printing ROOT
> in upper case?

I personally like capatalized ROOT because it makes root logins stick out
in the logs. Maybe something like:

 authlog("%s %s for %s%s%.100s from %.200s port %d%s",
         authmsg,
         method,
         authctxt->valid ? "" : "illegal user ",
         authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT user " : "",
         authctxt->user,
         get_remote_ipaddr(),
         get_remote_port(),
         info);

This would make it stand out and maybe keep it partially compatible with
logfile checkers. Or even:

 authlog("%s %s for %s%.100s from %.200s port %d%s",
        ...
        authctxt->valid ? ( authctxt->pw->pw_uid == 0 ? "ROOT user " : "" ) : "illegal user ",
        ...

-- arthur de jong - arthur at west.nl - west consulting b.v. --




More information about the openssh-unix-dev mailing list