From owner-freebsd-questions@FreeBSD.ORG Fri Jun 2 14:14:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8F5A16A429 for ; Fri, 2 Jun 2006 14:14:43 +0000 (UTC) (envelope-from njt@ayvali.org) Received: from starfish.geekisp.com (starfish.geekisp.com [216.168.135.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03C2A43D58 for ; Fri, 2 Jun 2006 14:14:42 +0000 (GMT) (envelope-from njt@ayvali.org) Received: (qmail 6512 invoked by uid 1003); 2 Jun 2006 14:14:41 -0000 Received: from clam.int.geekisp.com (HELO clam.geekisp.com) (192.168.4.38) by mail.geekisp.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Jun 2006 14:14:41 -0000 Received: from clam.geekisp.com (njt@localhost.geekisp.com [127.0.0.1]) by clam.geekisp.com (8.13.4/8.12.11) with ESMTP id k52EEc3X024442; Fri, 2 Jun 2006 10:14:38 -0400 (EDT) Received: (from njt@localhost) by clam.geekisp.com (8.13.4/8.13.3/Submit) id k52EEb56013966; Fri, 2 Jun 2006 10:14:38 -0400 (EDT) X-Authentication-Warning: clam.geekisp.com: njt set sender to njt@ayvali.org using -f Date: Fri, 2 Jun 2006 10:14:37 -0400 From: "N.J. Thomas" To: Lawrence Horvath Message-ID: <20060602141437.GE7621@ayvali.org> References: <20060530212241.GK3413@ayvali.org> <200605301630.45755.kirk@daycos.com> <20060531223706.GA4607@ayvali.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i Cc: freebsd-questions@freebsd.org Subject: Re: sudoedit, restricting to particular folder X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 14:14:44 -0000 * Lawrence Horvath [2006-06-01 22:13:39 -0700]: > well in that case what can uyou recommend for editing only zone files > and being able to run rndc, that is my main goal, i need to lock a > system so that only "rndc reload", "rndc reconfig" and editing zone > files is possible by a group of users, any suggestins? and/or how do > you do this? Restricting a group of users to run only "rndc reload" and "rndc reconfig" via sudo is trivial. sudoers(1) will explain how, and the sudoers file that comes with sudo is chock full of examples. Off the top of my head, you would do something like this: User_Alias DNSOPS = user1, user2, user3 Cmnd_Alias DNSRELOAD = /usr/sbin/rndc reload Cmnd_Alias DNSRECONF = /usr/sbin/rndc reconfig DNSOPS ALL = DNSRELOAD, DNSRECONF Don't know if that parses properly, but you get the idea. As far as editing only zone files, if you know the names of the files that they need to edit, something like this is sufficient: DNSOPS ALL = sudoedit /etc/named.conf DNSOPS ALL = sudoedit /etc/rndc.conf DNSOPS ALL = sudoedit /var/named/zone1 DNSOPS ALL = sudoedit /var/named/zone2 However, if your users need to be able to create/modify/rename files under /var/named (as you mentioned in your OP), then you will need a properly written wrapper script. Thomas -- N.J. Thomas njt@ayvali.org Etiamsi occiderit me, in ipso sperabo