Set up per-user root logging on nixos hosts #303

New Issue

Open

opened 2026-01-22 05:56:39 +01:00 by oysteikt · 3 comments

oysteikt commented 2026-01-22 05:56:39 +01:00

Owner

Copy Link

On most of the salt-registered hosts, we have the following script in the global bashrc:

umask 022

if [ ! -z "$PS1" ] ; then

	# LOGNAME skal være sett være satt til brukeren som har blitt root.
	# Vi prøver først å bruke kommandoen "logname", denne vil gi riktig
	# resultat dersom vi har brukt "su" for å bli root.
	if [ "$LOGNAME" = "root" -o -z "$LOGNAME" ]; then
		export LOGNAME=$(logname)
	fi

	# Dersom vi fortsatt ikke vet hvilken bruker som er blitt root, 
	# så får vi vel bare spørre da.
	while [ "$LOGNAME" = "root" -o -z "$LOGNAME" ]; do
		echo -n "LOGNAME er '$LOGNAME' (ikke fornuftig), hvem er du? " > /dev/stderr
		read ln
		export LOGNAME=$ln
	done

	# Skal ikke være miljøvariabler.
	HISTFILE=~/.bash_history.$LOGNAME
	HISTFILESIZE=1000
	HISTSIZE=1000
	unset MAILCHECK

	# Default prompt
	PS1='\h:\w\$ '

	# La brukere ha sin egen bashrc om de vil
	[ -f $HOME/.bashrc.$LOGNAME ] && . $HOME/.bashrc.$LOGNAME

fi

Maybe we should consider doing the same on the nixos hosts?

On most of the salt-registered hosts, we have the following script in the global `bashrc`: ```bash umask 022 if [ ! -z "$PS1" ] ; then # LOGNAME skal være sett være satt til brukeren som har blitt root. # Vi prøver først å bruke kommandoen "logname", denne vil gi riktig # resultat dersom vi har brukt "su" for å bli root. if [ "$LOGNAME" = "root" -o -z "$LOGNAME" ]; then export LOGNAME=$(logname) fi # Dersom vi fortsatt ikke vet hvilken bruker som er blitt root, # så får vi vel bare spørre da. while [ "$LOGNAME" = "root" -o -z "$LOGNAME" ]; do echo -n "LOGNAME er '$LOGNAME' (ikke fornuftig), hvem er du? " > /dev/stderr read ln export LOGNAME=$ln done # Skal ikke være miljøvariabler. HISTFILE=~/.bash_history.$LOGNAME HISTFILESIZE=1000 HISTSIZE=1000 unset MAILCHECK # Default prompt PS1='\h:\w\$ ' # La brukere ha sin egen bashrc om de vil [ -f $HOME/.bashrc.$LOGNAME ] && . $HOME/.bashrc.$LOGNAME fi ``` Maybe we should consider doing the same on the nixos hosts?

👎 1

oysteikt added the good first issuesecuritynixos labels 2026-01-22 05:56:39 +01:00

oysteikt added this to the Kanban project 2026-01-22 05:56:39 +01:00

oysteikt referenced this issue 2026-01-22 05:59:34 +01:00

Improve per-user root logging, allow setting username with envvar on login #304

oysteikt moved this to Medium priority in Kanban on 2026-01-22 06:14:08 +01:00

danio added the disputed label 2026-01-22 08:06:24 +01:00

felixalb commented 2026-01-22 13:05:06 +01:00

Owner

Copy Link

Logging who did what might be cool, but I think we should coordinate it with #138, and use something like auditd rather than a hacky script setting LOGNAME. Getting prompted with the question is also a bit annoying.

Also, we should keep in mind that this is not useful not to uncover malicious admin activity, as we still allow users to log in directly as root, bypassing the userlogin + privesc flow that a bashrc or auditd could pick up. If the point is troubleshooting other problems/accidents, how useful is knowing whodunit?

Logging who did what might be cool, but I think we should coordinate it with https://git.pvv.ntnu.no/Drift/issues/issues/138, and use something like `auditd` rather than a hacky script setting LOGNAME. Getting prompted with the question is also a bit annoying. Also, we should keep in mind that this is not useful not to uncover malicious admin activity, as we still allow users to log in directly as root, bypassing the userlogin + privesc flow that a bashrc or auditd could pick up. If the point is troubleshooting other problems/accidents, how useful is knowing whodunit?

felixalb commented 2026-01-22 13:07:25 +01:00

Owner

Copy Link

However, having your own .bash_history to not get other peoples histories messing up your autocomplete is cool, but you can implement that yourself without the need for this system everywhere

However, having your own .bash_history to not get other peoples histories messing up your autocomplete is cool, but you can implement that yourself without the need for this system everywhere

oysteikt commented 2026-01-22 13:40:30 +01:00

Author

Owner

Copy Link

Getting prompted with the question is also a bit annoying

See #304

> Getting prompted with the question is also a bit annoying See #304

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

No results found.

Labels

Clear labels

dns

Involves modifications to dvask

exploration

See the galaxy!

gitea

mail

epost nord

new stuff

Adds a new service / new functionality

openstack

NUTN OpenStack, more like closed stack

services

Everything regarding selfhosted services

software

Everything regarding homebrewn software

art

The issue needs someone to be creative

backup

big

No, not bug, **big** - this is gonna take a while

blocked

This issue/PR depends on one or more other issues/PRs

bug

Something is not working, and it's not the shield hero

crash report

Report an oopsie

disputed

kranglefanter

documentation

Documentation changes required

duplicate

This issue or pull request already exists

enhancement

New feature

good first issue

Get your hands dirty with a new project here

logging

networking

TTM4100

nixos

Requires changes to our nixos setup

question

More information is needed

salt

Requires changes to our salt setup

security

Skommel

servers n' hardware

Regards hardware, servers or VMs

wontfix

This won't be fixed

No Label disputed good first issue nixos security

Milestone

No items

No Milestone

Projects

Clear projects

No project Kanban

Assignees

Clear assignees

adriangl albertba alfhj bjornoka chrisfjo chrivi danio davidk dungby eirikwit felixalb frero jonmro jovre karolds knuta krisleri larshhan olived oysteikt pederbs root torsteno vegardbm yorinad

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Drift/issues#303