From owner-freebsd-stable@FreeBSD.ORG Sat Apr 28 09:14:00 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7AE31065670 for ; Sat, 28 Apr 2012 09:14:00 +0000 (UTC) (envelope-from vhaisman@gmail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id EFEE48FC12 for ; Sat, 28 Apr 2012 09:13:59 +0000 (UTC) Received: by wibhq7 with SMTP id hq7so1073095wib.13 for ; Sat, 28 Apr 2012 02:13:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; bh=NZSBf1nog7rmzZPJ6CCWCQ9gLfu5zV2Y6Ut+HNSy4rs=; b=WKRkcTb2qhvOABAdZEV1syRoKBSb5S3U5tdNz/uhwymQe7xfwm8XiPBSa28VipnStX 3w+w9e4TpcuqRUcir2lSZ83bxkdhEJbmd+QUW66/iNZmltqw2Fpt61FMafm3vk7Nt+bP NcFxDmBDXRz62hCX1uJc6Tndxzcbf1h3Wo25R++Ygk7SbY5ZoEcfcYjLwLnMhxXJV+dC oipZ4JDfpbr8+XD0sLBiSpwXJuSBJ62Wvr8kI2KkowIt5ohcaxadXwfXs4iRC0DimV5n zzn8Jo5/wRvTsc8wmkN5aqBC4wGhTNgnYM8yIBqYzvEqzcjXBl3IQv7Igs1A2QIRWoQP syKg== Received: by 10.216.145.194 with SMTP id p44mr37019wej.38.1335604438010; Sat, 28 Apr 2012 02:13:58 -0700 (PDT) Received: from [10.0.0.1] (242.91.broadband5.iol.cz. [88.100.91.242]) by mx.google.com with ESMTPS id fn2sm17759877wib.0.2012.04.28.02.13.55 (version=SSLv3 cipher=OTHER); Sat, 28 Apr 2012 02:13:57 -0700 (PDT) Message-ID: <4F9BB47F.9060803@gmail.com> Date: Sat, 28 Apr 2012 11:12:31 +0200 From: =?ISO-8859-1?Q?V=E1clav_Zeman?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120410 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: In-Reply-To: X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigDE7E428A2496BE4552C48D2B" Subject: Re: Restricting users from certain privileges X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2012 09:14:01 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDE7E428A2496BE4552C48D2B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/28/2012 09:50 AM, Zenny wrote: > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss w= rote: > >>> Hi: >>> >>> I could not figure out how to restrict users or other users from cert= ain >>> privileges to execute certain commands in FreeBSD/NanoBSD? >>> >>> What I meant is I want to create a NanoBSD image in which there will = be >> an >>> additional user, say 'admin'. I need to give this new user (admin) so= me >>> privileges to run some root-can-only-execute commands, but not all (A= CL >>> similar to the firmwares in adsl modems from ISPs). >>> >>> I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD >>> Rootkits' besides FreeBSD handbook, but I simply could not figure out= =2E >>> Could anyone throw some light on this? Appreciate it! >>> >>> Thanks! >>> >>> /zenny >> try sudo from ports, security/sudo >> >> cheers, >> danny >> >> > Thanks Daniel, but sudo gives all (not selective) root privileges to th= e > user (admin in my case). So this is not what I am trying to achieve in = my > original post. If sudo does not work then what about using ACLs? $ chmod og-rwx /bin/dangerous $ setfacl -m "user:admin:rx" /bin/dangerous --=20 VZ --------------enigDE7E428A2496BE4552C48D2B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk+btNIACgkQbJlIwZz1OoeeIQD+MIjTVskYf2evwKYFx3ajdnUD fmAmKgtYIa88geYeav0A/jGFlTddkqipfPNUM1pC5z3s9VDsnT1Hc6i+7l6qo9et =K4GL -----END PGP SIGNATURE----- --------------enigDE7E428A2496BE4552C48D2B--