From owner-freebsd-stable@FreeBSD.ORG  Sat Apr 28 18:34:00 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C11CC1065673
	for <freebsd-stable@freebsd.org>; Sat, 28 Apr 2012 18:34:00 +0000 (UTC)
	(envelope-from stephen@missouri.edu)
Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu
	[128.206.184.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A24A8FC1C
	for <freebsd-stable@freebsd.org>; Sat, 28 Apr 2012 18:34:00 +0000 (UTC)
Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213])
	by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id
	q3SICP7P087598; Sat, 28 Apr 2012 13:12:25 -0500 (CDT)
	(envelope-from stephen@missouri.edu)
Message-ID: <4F9C3309.60704@missouri.edu>
Date: Sat, 28 Apr 2012 13:12:25 -0500
From: Stephen Montgomery-Smith <stephen@missouri.edu>
User-Agent: Mozilla/5.0 (X11; Linux i686;
	rv:11.0) Gecko/20120412 Thunderbird/11.0.1
MIME-Version: 1.0
To: Zenny <garbytrash@gmail.com>
References: <CACuV5sCyCgn8aBawTEP=BT++4Ut4kPt8fXSq+gcS2YrkZaU+Jw@mail.gmail.com>
	<E1SO2ER-000K66-8k@kabab.cs.huji.ac.il>
	<CACuV5sCHmnUnXTTY+kGqszi-Ynu8Vr3bf+LALf=yQbhHPXSdXA@mail.gmail.com>
In-Reply-To: <CACuV5sCHmnUnXTTY+kGqszi-Ynu8Vr3bf+LALf=yQbhHPXSdXA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject: Re: Restricting users from certain privileges
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2012 18:34:00 -0000

On 04/28/2012 02:50 AM, Zenny wrote:
> On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss<danny@cs.huji.ac.il>  wrote:
>
>>> Hi:
>>>
>>> I could not figure out how to restrict users or other users from certain
>>> privileges to execute certain commands in FreeBSD/NanoBSD?
>>>
>>> What I meant is I want to create a NanoBSD image in which there will be
>> an
>>> additional user, say 'admin'. I need to give this new user (admin) some
>>> privileges to run some root-can-only-execute commands, but not all (ACL
>>> similar to the firmwares in adsl modems from ISPs).
>>>
>>> I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD
>>> Rootkits' besides FreeBSD handbook, but I simply could not figure out.
>>> Could anyone throw some light on this? Appreciate it!
>>>
>>> Thanks!
>>>
>>> /zenny
>>
>> try sudo from ports, security/sudo
>>
>> cheers,
>>         danny
>>
>>
> Thanks Daniel, but sudo gives all (not selective) root privileges to the
> user (admin in my case). So this is not what I am trying to achieve in my
> original post.

Try the security/super port.  It is easy to create very fine grained 
privileges to selected users.  (I am not saying that sudo cannot do 
this, but with super it is very easy.)