From owner-freebsd-questions Thu Feb 1 14:24: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id 1742C37B4EC for ; Thu, 1 Feb 2001 14:23:42 -0800 (PST) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id AAA22285; Fri, 2 Feb 2001 00:30:55 +0100 Message-ID: <3A79E224.51068730@i-clue.de> Date: Thu, 01 Feb 2001 23:24:36 +0100 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.75 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: Micke Josefsson Cc: freebsd-questions@FreeBSD.ORG Subject: Re: About delegating account creation References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Micke Josefsson schrieb: > > I am root on a server. And as such I can create new accounts. Now if am away can > I delegate account creation to someone else without also giving him/her the > means of creating havoc with the system? > > Would it be enough to include this person into, say, the wheel group? (as the pw > an vipw command are owned by root:wheel). Can I do chmod 660 on > /etc/master.passwd or is that a bad thing? > > How does one do this 'in real life'? How about /usr/ports/security/sudo? This way, you may delegate root rights for a single command to any user or group. I'd delegate adduser to somebody trusted. Anyhow, if you can use adduser, you can create another root account for you, so why not trust her with a root password? HTH -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message