320177 - Impersonated (sudo) updates should be logged

Status: NEW

(Bugzilla :: Administration, task)

Description

[Kevin Benton]

Bug 204498 introduces the ability to impersonate others in the database, however, no mechanism was implemented to log that a person was being impersonated in the logs.  The UI should not allow a malicious administrator to frame another user without leaving evidence behind of what was done.  We can't stop admins from hacking the DB manually, but we sure can do a lot to make it harder for them to hack with mallicious intent from the UI.

While this is being done, it seems that making impersonation a param that can only be turned on from the localconfig parameters seems to be a wise idea.  That way, only those with shell access to the system can turn impersonation on.

Comment 1

[Frédéric Buclin]

You report two things here:

- logging sudoers;
- having a param in localconfig to turn sudo sessions on or off.

I don't like the idea of this param in localconfig. I prefer a parameter accessible from editparams.cgi.

But I fully agree about logging sudoers.

Comment 2

[A. Karl Kornel]

(In reply to comment #1)
><<<snip>>>
> But I fully agree about logging sudoers.
> 

In that case, let us leave this bug as is with its current title, so this bug can be used to track the implementation of logging of actions performed during an sudo session.  I should note that most of the places where logging can be inserted are already noted in the code.

Comment 3

[hullabalooza09]

I wrote something to this topic in Bug 338200, comment #6 (https://bugzilla.mozilla.org/show_bug.cgi?id=338200#c6).

Comment 5

[Frédéric Buclin]

Too late for 4.4. We already released rc1.