From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 17:04:31 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4628A16A404 for ; Thu, 22 Feb 2007 17:04:31 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (gizmo.acns.msu.edu [35.8.1.43]) by mx1.freebsd.org (Postfix) with ESMTP id CE9EB13C4A7 for ; Thu, 22 Feb 2007 17:04:30 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (localhost [127.0.0.1]) by gizmo.acns.msu.edu (8.13.6/8.13.6) with ESMTP id l1MH2FiV020356; Thu, 22 Feb 2007 12:02:15 -0500 (EST) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: (from jerrymc@localhost) by gizmo.acns.msu.edu (8.13.6/8.13.6/Submit) id l1MH2EwF020355; Thu, 22 Feb 2007 12:02:14 -0500 (EST) (envelope-from jerrymc) Date: Thu, 22 Feb 2007 12:02:14 -0500 From: Jerry McAllister To: subbu ramanN Message-ID: <20070222170214.GA20259@gizmo.acns.msu.edu> References: <1a61db890702210222h5e7258aaw8c4caac677cd278d@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1a61db890702210222h5e7258aaw8c4caac677cd278d@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Cc: questions@freebsd.org Subject: Re: Reg, User rights X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 17:04:31 -0000 > Dear Team, > This is subburaman from Bangalore, india.I have installed > the FreeBSD6.2.Now i want to create a new User with Administrator > rights.Please give me the guidelines for me. You can do one of four things. Create a user as per normal. Then, also add that userid to the wheel group. (Don't make wheel the user's primary group. Use a regular group for that. Just add their id in the /etc/group file to wheel. Then the user can log in to their regular account and if they need to do system level stuff, they would 'su' to a root account and do the operation. That would mean giving that user the password to a root account - either the main one or an additional one you make up. Create an additional root account for the user. For example, if the user has a regular id of fred, you might also create an Rfred. Make the UID and GID for that account each be '0'. You will want to make the home directory for that user be in the /root directory, for example, for a user Rfred, make the home directory /root/Rfred. Also put this id in the wheel group in /etc/group. I have run in to some routines that expect this even if the primary group is '0'. Set the password for that account and tell the user. One difficulty is that without loosening up access rules, the user will no be able to ssh in to the box with that account. So, make sure their regular account (fred) is also in the wheel group in /etc/group. They the user would initially log in as the regular user and su to the root account (su Rfred) as in the previous method. Install and set up sudo (/usr/ports/security/sudo) and create a configuration for that user so they can run specific commands that you specify and only those commands. This is a very good method, but sometimes it takes some careful thought to deal with the various commands and their possible arguments that you want to allow or disallow. Install a system management tool such as webmin (/usr/ports/sysutils/webmin) and configure it so the user can perform certain admin tasks. This is nice because it is web based and so it gives a nice GUI feel to it all. Overall, probably the third option (using sudo) is the best, especially if you are not completely trusting of the user you are giving priviledges to. If it is yourself and no one else, then the first method is probably best because it is simplest and most powerful. If really you like GUI interfaces and are willing to accept their limitations, that the forth one is best. The limitations consist of being dependant on only being able to do those things some developer already thought of doing and only in the ways that developer already thought of. Sort of like being stuck in an MS theme park. The second option is good for when you have a small number of users (max three or four) besides yourself, who are competent and absolutely trusted. It is as powerful as the first one, but lets you keep multiple root users somewhat separated. Note, when you create additional root users, eg users with a UID of '0', you must explicitely name their id on the passwd(1) command or else it will change the password for the main root id - or for the first root id it encounters in the /etc/passwd file. Note also, leave the real root as the first in the /etc/passwd file. ////jerry > > Thanks with regards > > Subburaman N > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"