From owner-freebsd-stable@FreeBSD.ORG  Sat Apr 28 07:50:31 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3BC1A1065670
	for <freebsd-stable@freebsd.org>; Sat, 28 Apr 2012 07:50:31 +0000 (UTC)
	(envelope-from garbytrash@gmail.com)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id F2DCF8FC15
	for <freebsd-stable@freebsd.org>; Sat, 28 Apr 2012 07:50:30 +0000 (UTC)
Received: by obcni5 with SMTP id ni5so2588109obc.13
	for <freebsd-stable@freebsd.org>; Sat, 28 Apr 2012 00:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=2MD6s1Cthfbtxxsn1ipRHRYfLZWFMAtTD/lmDJVVIeA=;
	b=fJTjQKG7j6IdCH2oNrCPQxa3UaNXAEZxeQ1kZJhbjjVMu+VUugUNzepy8+MQfFKqIp
	HyLpXaa8mZHoLe1eEqGtisIAGvCUYloKDAGQ3uv273uYpswmk+BZj/JlW45EUAkDIVms
	fY5IfcljpbNHt1glKGlVTEanY3nSZhLRcpaFzPSSbyyoqI9zoAyrXlufuwBX/CcEjdXz
	a6r1iYUdIkji3+XfmeWP3bZcp8cfQpmc+9sPQspVjLLKrm/T1IStUQX3wDnKqQ+DGUn7
	v7q9kSo48rk/feQC96ydizQMnoRjq1I+PKBpGybqTbODNavkh55OwsCb04g/fxSk6U6Y
	OXaw==
MIME-Version: 1.0
Received: by 10.60.14.226 with SMTP id s2mr18121084oec.29.1335599430611; Sat,
	28 Apr 2012 00:50:30 -0700 (PDT)
Received: by 10.60.17.34 with HTTP; Sat, 28 Apr 2012 00:50:30 -0700 (PDT)
In-Reply-To: <E1SO2ER-000K66-8k@kabab.cs.huji.ac.il>
References: <CACuV5sCyCgn8aBawTEP=BT++4Ut4kPt8fXSq+gcS2YrkZaU+Jw@mail.gmail.com>
	<E1SO2ER-000K66-8k@kabab.cs.huji.ac.il>
Date: Sat, 28 Apr 2012 09:50:30 +0200
Message-ID: <CACuV5sCHmnUnXTTY+kGqszi-Ynu8Vr3bf+LALf=yQbhHPXSdXA@mail.gmail.com>
From: Zenny <garbytrash@gmail.com>
To: Daniel Braniss <danny@cs.huji.ac.il>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject: Re: Restricting users from certain privileges
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2012 07:50:31 -0000

On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny@cs.huji.ac.il> wrote:

> > Hi:
> >
> > I could not figure out how to restrict users or other users from certain
> > privileges to execute certain commands in FreeBSD/NanoBSD?
> >
> > What I meant is I want to create a NanoBSD image in which there will be
> an
> > additional user, say 'admin'. I need to give this new user (admin) some
> > privileges to run some root-can-only-execute commands, but not all (ACL
> > similar to the firmwares in adsl modems from ISPs).
> >
> > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD
> > Rootkits' besides FreeBSD handbook, but I simply could not figure out.
> > Could anyone throw some light on this? Appreciate it!
> >
> > Thanks!
> >
> > /zenny
>
> try sudo from ports, security/sudo
>
> cheers,
>        danny
>
>
Thanks Daniel, but sudo gives all (not selective) root privileges to the
user (admin in my case). So this is not what I am trying to achieve in my
original post.

/z