From owner-freebsd-questions  Mon Jul 19  4:49:41 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from pasha.anand.org (pasha.anand.org [199.103.176.41])
	by hub.freebsd.org (Postfix) with SMTP id D093715106
	for <freebsd-questions@FreeBSD.ORG>; Mon, 19 Jul 1999 04:49:18 -0700 (PDT)
	(envelope-from arb@anand.org)
Received: (qmail 7307 invoked by uid 1001); 19 Jul 1999 11:49:15 -0000
Date: Mon, 19 Jul 1999 14:49:15 +0300
From: Anand Buddhdev <arb@africaonline.co.ke>
To: Vincent Poy <vince@venus.GAIANET.NET>
Cc: "T. William Wells" <bill@twwells.com>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: how to watch the root user?
Message-ID: <19990719144915.C7188@africaonline.co.ke>
References: <7muo54$reg$1@twwells.com> <Pine.BSF.4.05.9907190145430.331-100000@venus.GAIANET.NET>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.5i
In-Reply-To: <Pine.BSF.4.05.9907190145430.331-100000@venus.GAIANET.NET>; from Vincent Poy on Mon, Jul 19, 1999 at 01:47:35AM -0700
Organisation: Africa Online Ltd, P O Box 63017, Nairobi, Kenya
X-Phone: +254-2-243775
X-WWW-Homepage: http://www.anand.org
X-Duties: SysAdmin, Hostmaster, Postmaster, Programmer, Support
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Jul 19, 1999 at 01:47:35AM -0700, Vincent Poy wrote:

I manage our ISP's Solaris boxes, and I love sudo. I've written a little
perl menu that allows customer service staff to change passwords,
add/remove forwarding etc. They run this with sudo, and I'm happy. They
get root access, but only to do certain things.

> 	Yes, the problem is that one of our new customers is doing a
> virtual ISP at our location and from the old ISP which runs BSDI.  It
> seems like they have a telnet account that will only go into a menu, all
> they can do is do adduser, rmuser and passwd on a certain user.  I can do
> the shell script for the menus and stuff but I'm just trying to figure out
> how to give their sales associates access to do only those commands with
> root privileges and not others.

This can be easily done in 2 ways:

1. Write a suid perl script to give them those functions and make this
script the customer's login shell.

2. Write the script non-setuid, but run it from sudo. To make it look
automated, stick the sudo invocation in the customer's .profile or
.login

-- 
See complete headers for more info


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message