Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 28 Apr 2012 11:29:58 +0200
From:      Dimitry Andric <dim@FreeBSD.org>
To:        Zenny <garbytrash@gmail.com>
Cc:        "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject:   Re: Restricting users from certain privileges
Message-ID:  <4F9BB896.8040005@FreeBSD.org>
In-Reply-To: <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com>
References:  <CACuV5sCyCgn8aBawTEP=BT%2B%2B4Ut4kPt8fXSq%2BgcS2YrkZaU%2BJw@mail.gmail.com> <E1SO2ER-000K66-8k@kabab.cs.huji.ac.il> <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2012-04-28 09:50, Zenny wrote:
> On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny@cs.huji.ac.il> wrote:
...
>> try sudo from ports, security/sudo
> Thanks Daniel, but sudo gives all (not selective) root privileges to the
> user (admin in my case).

This isn't true.  With sudo, you can give specific users, or groups of
users, restricted lists of commands they can run, and even specify on
which particular machines they can be run.

Please take a look at the nicely documented sample sudoers file:

  http://www.sudo.ws/sudo/sample.sudoers

For example, these lines may do more or less what you want:

  # users in the secretaries netgroup need to help manage the printers
  # as well as add and remove users
  +secretaries	ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

  # fred can run commands as oracle or sybase without a password
  fred		ALL = (DB) NOPASSWD: ALL

  # on the alphas, john may su to anyone but root and flags are not allowed
  john		ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

  # jen can run anything on all machines except the ones
  # in the "SERVERS" Host_Alias
  jen		ALL, !SERVERS = ALL

  # jill can run any commands in the directory /usr/bin/, except for
  # those in the SU and SHELLS aliases.
  jill		SERVERS = /usr/bin/, !SU, !SHELLS

  # steve can run any command in the directory /usr/local/op_commands/
  # as user operator.
  steve		CSNETS = (operator) /usr/local/op_commands/

  # matt needs to be able to kill things on his workstation when
  # they get hung.
  matt		valkyrie = KILL

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F9BB896.8040005>