Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 28 Apr 2012 12:46:53 -0700
From:      Freddie Cash <fjwcash@gmail.com>
To:        Zenny <garbytrash@gmail.com>
Cc:        "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject:   Re: Restricting users from certain privileges
Message-ID:  <CAOjFWZ5NGAJTQNfHe8WhNp0iVY61nu-ySw10-1GNXNbcKVENVA@mail.gmail.com>
In-Reply-To: <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com>
References:  <CACuV5sCyCgn8aBawTEP=BT%2B%2B4Ut4kPt8fXSq%2BgcS2YrkZaU%2BJw@mail.gmail.com> <E1SO2ER-000K66-8k@kabab.cs.huji.ac.il> <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Apr 28, 2012 12:50 AM, "Zenny" <garbytrash@gmail.com> wrote:
>
> On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny@cs.huji.ac.il>
wrote:
>
> > > Hi:
> > >
> > > I could not figure out how to restrict users or other users from
certain
> > > privileges to execute certain commands in FreeBSD/NanoBSD?
> > >
> > > What I meant is I want to create a NanoBSD image in which there will
be
> > an
> > > additional user, say 'admin'. I need to give this new user (admin)
some
> > > privileges to run some root-can-only-execute commands, but not all
(ACL
> > > similar to the firmwares in adsl modems from ISPs).
> > >
> > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD
> > > Rootkits' besides FreeBSD handbook, but I simply could not figure out.
> > > Could anyone throw some light on this? Appreciate it!
> > >
> > > Thanks!
> > >
> > > /zenny
> >
> > try sudo from ports, security/sudo
> >
> > cheers,
> >        danny
> >
> >
> Thanks Daniel, but sudo gives all (not selective) root privileges to the
> user (admin in my case). So this is not what I am trying to achieve in my
> original post.

Sudo let's you do a lot more than all-or-nothing access. You can specify
individual commands that can be run, even down to the options that can be
used, and whether or not they need a passwd. And you can even specify which
user to run the command as (doesn't have to be root).

Read through the sudoers(5) man page and the comments in the default
sudoers file for all the gory details.

Cheers,
Freddie Cash
fjwcash@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ5NGAJTQNfHe8WhNp0iVY61nu-ySw10-1GNXNbcKVENVA>