From owner-freebsd-stable@FreeBSD.ORG Sat Apr 28 19:46:54 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24A5310656DC for ; Sat, 28 Apr 2012 19:46:54 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id CDF268FC0C for ; Sat, 28 Apr 2012 19:46:53 +0000 (UTC) Received: by qao25 with SMTP id 25so991430qao.13 for ; Sat, 28 Apr 2012 12:46:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+8derBEj5nlGsEMXV/8gbY6/UzTujocxw8Pa5hkCuo4=; b=m8qrGbo2ZhuOo7KOPgEvhjXQ+HlIsSOUNiezHldwgjxzFUFKr7qDyV3TNgU4FJKuUv qjs7llvX2/lFxXHdx/JEGxZLWy0qyiVJGncDfOnElQtk+pFWWAXHNeT+v9Uvh0bnI/NS iqIoL+nZ81zc/mZM5/TIf1dffMbxG1gs+t1i/JHlOuGdy2rHQrBgoQQJ1UTB3uNVAqba IhMMU5ckzjmeoT3Sk/39j8yaPkGjwO2zkNsu7p/ckuMj94wpBO28KTLYYXPyCb+zyPUZ y4aNkD5yA3ZghozSy8InIbz9pEYfgXUrqftMlsHe73Eqd5yaZw+Yx106SX12kTuyCD91 fHGw== MIME-Version: 1.0 Received: by 10.224.115.208 with SMTP id j16mr12978832qaq.84.1335642413228; Sat, 28 Apr 2012 12:46:53 -0700 (PDT) Received: by 10.229.91.138 with HTTP; Sat, 28 Apr 2012 12:46:53 -0700 (PDT) Received: by 10.229.91.138 with HTTP; Sat, 28 Apr 2012 12:46:53 -0700 (PDT) In-Reply-To: References: Date: Sat, 28 Apr 2012 12:46:53 -0700 Message-ID: From: Freddie Cash To: Zenny Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-stable@freebsd.org" Subject: Re: Restricting users from certain privileges X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2012 19:46:54 -0000 On Apr 28, 2012 12:50 AM, "Zenny" wrote: > > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: > > > > Hi: > > > > > > I could not figure out how to restrict users or other users from certain > > > privileges to execute certain commands in FreeBSD/NanoBSD? > > > > > > What I meant is I want to create a NanoBSD image in which there will be > > an > > > additional user, say 'admin'. I need to give this new user (admin) some > > > privileges to run some root-can-only-execute commands, but not all (ACL > > > similar to the firmwares in adsl modems from ISPs). > > > > > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD > > > Rootkits' besides FreeBSD handbook, but I simply could not figure out. > > > Could anyone throw some light on this? Appreciate it! > > > > > > Thanks! > > > > > > /zenny > > > > try sudo from ports, security/sudo > > > > cheers, > > danny > > > > > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). So this is not what I am trying to achieve in my > original post. Sudo let's you do a lot more than all-or-nothing access. You can specify individual commands that can be run, even down to the options that can be used, and whether or not they need a passwd. And you can even specify which user to run the command as (doesn't have to be root). Read through the sudoers(5) man page and the comments in the default sudoers file for all the gory details. Cheers, Freddie Cash fjwcash@gmail.com