Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder2.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <modelnine@modelnine.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.184
X-Spam-Level: *
X-Spam-Evidence: '*H*': 0.66; '*S*': 0.03; 'charset:iso-8859-7': 0.04; 'explicitly': 0.05; 'root': 0.05; 'root,': 0.09; 'subject:script': 0.09; 'will,': 0.09; 'activity?': 0.16; 'subject:Apache': 0.16; 'subject:issue': 0.16; 'subject:run': 0.16; 'subject:python': 0.16; 'installation': 0.23; 'header:User-Agent:1': 0.23; 'exists': 0.24; "shouldn't": 0.24; '---': 0.24; "i've": 0.25; 'logging': 0.26; 'header:In-Reply-To:1': 0.27; 'idea': 0.28; '(like': 0.30; 'credentials': 0.31; 'subject:that': 0.31; 'file': 0.32; 'another': 0.32; 'bugs': 0.33; 'plain': 0.33; "can't": 0.35; 'there': 0.35; 'next': 0.36; 'received:10': 0.37; 'system,': 0.38; 'to:addr:python-list': 0.38; 'short': 0.38; 'bad': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'system.': 0.39; 'received:org': 0.40; 'even': 0.60; 'no.': 0.61; "you're": 0.61; "you've": 0.63; 'such': 0.63; 'offering': 0.63; 'telling': 0.64; 'more': 0.64; 'account': 0.65; 'due': 0.66; 'said:': 0.68; 'safe': 0.72; 'now:': 0.74; 'hand': 0.80; 'answer:': 0.84; 'contents,': 0.84; 'handing': 0.84; 'insecure': 0.84; 'malicious': 0.84; 'trust,': 0.84; 'subject:let': 0.93; 'accounts,': 0.95; 'incredibly': 0.96
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=modelnine.org; s=modelnine1012; t=1370432253; bh=biruJmTMLZaV1T3p0wgwdppjWz6y6BOVU8h0UyLXgpw=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=OpTm/1yKeUci/StQlVSpwipINq/+SiBb5YwuKmjK+hDdtKoXSZN+U/TqcCbYQebN2 FQdxdpajemSOvciqTVBiaFO8cvfHvEUFs33DuBnxVdTv6gC37+skvyNkU+ikMTUY1V zo8TY216zQ7rMvLH6S/tpGKJura518+kn5bV9Vuk=
Date: Wed, 05 Jun 2013 13:37:28 +0200
From: Heiko Wundram <modelnine@modelnine.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Thunderbird/22.0
MIME-Version: 1.0
To: python-list@python.org
Subject: Re: Apache and suexec issue that wont let me run my python script
References: <20a49aac-3867-481f-96d4-c95a050781ed@googlegroups.com>	<mailman.2656.1370359764.3114.python-list@python.org>	<592c84d8-2e86-4480-b784-c3ccadc8360d@googlegroups.com>	<mailman.2666.1370365761.3114.python-list@python.org>	<06fd6c2e-0979-4d61-b75a-6d9df7c1b624@googlegroups.com>	<mailman.2688.1370383955.3114.python-list@python.org>	<70390d65-5313-46bf-8110-b25f5fc9f76f@googlegroups.com>	<mailman.2706.1370419798.3114.python-list@python.org>	<8d52505a-7252-419b-8b4f-61e5ee56a78a@googlegroups.com>	<mailman.2707.1370421723.3114.python-list@python.org>	<2aef9194-ef36-45db-8c77-9510d3f14ebe@googlegroups.com>	<mailman.2710.1370423500.3114.python-list@python.org>	<c49345c2-7dd8-4b59-9f5c-c4e7ce7a3ea0@googlegroups.com>	<mailman.2721.1370428837.3114.python-list@python.org>	<8df8a9df-dbb9-4f35-a6a3-b45aa32a848b@googlegroups.com>	<mailman.2722.1370430879.3114.python-list@python.org> <1496e27c-7870-48d2-afb0-1bf626e24b5f@googlegroups.com>
In-Reply-To: <1496e27c-7870-48d2-afb0-1bf626e24b5f@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-7; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.2723.1370432255.3114.python-list@python.org>
Lines: 24
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1370432255 news.xs4all.nl 16000 [2001:888:2000:d::a6]:57739
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:47072

Am 05.06.2013 13:19, schrieb Νικόλαος Κούρας:
> Is there some logging utility i can use next time iam offering root access to someone(if i do it) or perhaps logging a normal's account activity?

Short answer: Not for root, no.

Long answer: as I've already said: root can change file contents, or 
more explicitly _any_ system state, and (s)he can do that at will, and 
as such you can't ever be sure that what any form of logging is telling 
you will be the "truth" in some form or another if you've had a 
malicious root user on your system.

Now: think again why it's such a plain stupid and incredibly bad idea to 
hand out root credentials to people you shouldn't trust, and why people 
(like me) keep telling you that you're naive and a fool to even consider 
handing out root logins.

PS: the same is true for normal logins. You don't know whether some form 
of privilege escalation exists on your system, so even by handing out 
supposedly safe non-root accounts, your installation might get 
compromised due to insecure SUID software or due to privilege escalation 
bugs in the kernel.

-- 
--- Heiko.