From owner-freebsd-questions@FreeBSD.ORG Sun Jun 4 05:52:00 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D4BA16A4DA for ; Sun, 4 Jun 2006 05:52:00 +0000 (UTC) (envelope-from lordsporkton@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C18443D70 for ; Sun, 4 Jun 2006 05:51:55 +0000 (GMT) (envelope-from lordsporkton@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so781445nzn for ; Sat, 03 Jun 2006 22:51:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YU3zxbfuCYSBKy/UGUZdSBsOhssJ2qWzCJEM3ZXsJR9+CaMsM1SlVZ9qi0fBaVhJnQ9YaEi6qyC/0/5tsobBiDuossXm+TB+UfM3UfHmq4G1OAhbNMW+GkxE8uRvsfqUYkxYvhM6AerARkspaO1xpI+o7Hssf20iq7DyNytYo3k= Received: by 10.65.38.5 with SMTP id q5mr2748987qbj; Sat, 03 Jun 2006 22:51:53 -0700 (PDT) Received: by 10.65.11.14 with HTTP; Sat, 3 Jun 2006 22:51:53 -0700 (PDT) Message-ID: Date: Sat, 3 Jun 2006 22:51:53 -0700 From: "Lawrence Horvath" To: "N.J. Thomas" , freebsd-questions@freebsd.org In-Reply-To: <20060602141437.GE7621@ayvali.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060530212241.GK3413@ayvali.org> <200605301630.45755.kirk@daycos.com> <20060531223706.GA4607@ayvali.org> <20060602141437.GE7621@ayvali.org> Cc: Subject: Re: sudoedit, restricting to particular folder X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jun 2006 05:52:00 -0000 Well, the problem with that would be that we are editing about 4000 zone files(that includes forwards and reverses) so an entry for each zone wouldnt do, that it why i was hoping to make it effective on a whole folder, not just one file or two. I was considering a folder permissions solution, that seems like it would work well i think, then i could use sudo to resrict to only rndc and let them have group write access on the zones folder, i think that would be better then sudoedit. On 6/2/06, N.J. Thomas wrote: > * Lawrence Horvath [2006-06-01 22:13:39 -0700]: > > well in that case what can uyou recommend for editing only zone files > > and being able to run rndc, that is my main goal, i need to lock a > > system so that only "rndc reload", "rndc reconfig" and editing zone > > files is possible by a group of users, any suggestins? and/or how do > > you do this? > > Restricting a group of users to run only "rndc reload" and "rndc > reconfig" via sudo is trivial. sudoers(1) will explain how, and > the sudoers file that comes with sudo is chock full of examples. > > Off the top of my head, you would do something like this: > > User_Alias DNSOPS = user1, user2, user3 > Cmnd_Alias DNSRELOAD = /usr/sbin/rndc reload > Cmnd_Alias DNSRECONF = /usr/sbin/rndc reconfig > DNSOPS ALL = DNSRELOAD, DNSRECONF > > Don't know if that parses properly, but you get the idea. > > As far as editing only zone files, if you know the names of the files > that they need to edit, something like this is sufficient: > > DNSOPS ALL = sudoedit /etc/named.conf > DNSOPS ALL = sudoedit /etc/rndc.conf > DNSOPS ALL = sudoedit /var/named/zone1 > DNSOPS ALL = sudoedit /var/named/zone2 > > However, if your users need to be able to create/modify/rename files > under /var/named (as you mentioned in your OP), then you will need a > properly written wrapper script. > > Thomas > > -- > N.J. Thomas > njt@ayvali.org > Etiamsi occiderit me, in ipso sperabo > -- -Lawrence