Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Jun 2006 10:14:37 -0400
From:      "N.J. Thomas" <njt@ayvali.org>
To:        Lawrence Horvath <lordsporkton@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: sudoedit, restricting to particular folder
Message-ID:  <20060602141437.GE7621@ayvali.org>
In-Reply-To: <a1bf75ae0606012213x1f008b85mcceec8d8fc76413a@mail.gmail.com>
References:  <a1bf75ae0605301346h1b5f8b35g27e8a8391d8974cb@mail.gmail.com> <20060530212241.GK3413@ayvali.org> <200605301630.45755.kirk@daycos.com> <20060531223706.GA4607@ayvali.org> <a1bf75ae0606012213x1f008b85mcceec8d8fc76413a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

* Lawrence Horvath <lordsporkton@gmail.com> [2006-06-01 22:13:39 -0700]:
> well in that case what can uyou recommend for editing only zone files
> and being able to run rndc, that is my main  goal, i need to lock a
> system so that only "rndc reload", "rndc reconfig" and editing zone
> files is possible by a group of users, any suggestins? and/or how do
> you do this?

Restricting a group of users to run only "rndc reload" and "rndc
reconfig" via sudo is trivial. sudoers(1) will explain how, and
the sudoers file that comes with sudo is chock full of examples.

Off the top of my head, you would do something like this:

    User_Alias  DNSOPS    = user1, user2, user3
    Cmnd_Alias  DNSRELOAD = /usr/sbin/rndc reload
    Cmnd_Alias  DNSRECONF = /usr/sbin/rndc reconfig
    DNSOPS      ALL       = DNSRELOAD, DNSRECONF

Don't know if that parses properly, but you get the idea.

As far as editing only zone files, if you know the names of the files
that they need to edit, something like this is sufficient:

    DNSOPS      ALL       = sudoedit /etc/named.conf
    DNSOPS      ALL       = sudoedit /etc/rndc.conf
    DNSOPS      ALL       = sudoedit /var/named/zone1
    DNSOPS      ALL       = sudoedit /var/named/zone2

However, if your users need to be able to create/modify/rename files
under /var/named (as you mentioned in your OP), then you will need a
properly written wrapper script.

Thomas

-- 
N.J. Thomas
njt@ayvali.org
Etiamsi occiderit me, in ipso sperabo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060602141437.GE7621>