Date: Thu, 1 Nov 2001 04:30:41 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Anthony Atkielski" <anthony@atkielski.com>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: Tiny starter configuration for FreeBSD Message-ID: <00ce01c162d1$054242c0$1401a8c0@tedm.placo.com> In-Reply-To: <009601c162cd$70da3190$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Anthony >Atkielski >Sent: Thursday, November 01, 2001 4:05 AM >To: FreeBSD Questions >Subject: Re: Tiny starter configuration for FreeBSD > > >In NT/2000, you can divide administrative responsibility easily and securely >among any number of users and groups. > >> For example we needed a group of people who could >> restart a name-daemon. One small script, owned by >> user root and group dnsadmin, permissions 4755: Only >> people who were in the group dnsadmin could do the task. > >But the script that does it must change its userid to accomplish the task, >because only root can do the deed. Under Windows, you can give >permission to do >the deed to a completely separate userid or group, and this userid >or group can >run scripts under its own identity to complete the task. There is never any >risk of the script being all-powerful, so even if it were corrupted or turned >away from its legitimate use, there would be very little risk of system >compromise. > >For example, in Windows, you can give a user(s) or group(s) >permission just to >start a service (daemon), and nothing else. So they can write their >own script >to do this, and the script still won't be able to change passwords >or do other >special stuff, because it will never execute under an identity with any other >permissions. > But, you see the example Edwin set up here is not what should be done under UNIX either. In the case of having a small group of people that need to stop and start BIND, the proper (in my opinion, of course) way to do it is to use an administration interface such as webmin. Webmin contains it's own security mechanism that is much more fine grained than the UNIX system permission. BIND is kind of a special case here because the situation where you see a group needing to HUP it all the time or modify it's config files is really only found in 1 place - an ISP or a very, very large corporation with it's own internal nameservers. In most other daemon programs, they don't need that kind of constant manipulation and the best security policy is to force all requests for restarting services to the REAL root users that are responsible for the entire system. These special cases are why the userID stuff was put into webmin. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ce01c162d1$054242c0$1401a8c0>