From owner-freebsd-stable@FreeBSD.ORG Sat Apr 28 09:29:53 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BACF106564A for ; Sat, 28 Apr 2012 09:29:53 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:146::2]) by mx1.freebsd.org (Postfix) with ESMTP id 054598FC16 for ; Sat, 28 Apr 2012 09:29:53 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7:0:9875:2809:2793:7777] (unknown [IPv6:2001:7b8:3a7:0:9875:2809:2793:7777]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 3CD475C59; Sat, 28 Apr 2012 11:29:52 +0200 (CEST) Message-ID: <4F9BB896.8040005@FreeBSD.org> Date: Sat, 28 Apr 2012 11:29:58 +0200 From: Dimitry Andric Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120420 Thunderbird/12.0 MIME-Version: 1.0 To: Zenny References: In-Reply-To: X-Enigmail-Version: 1.4.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-stable@freebsd.org" Subject: Re: Restricting users from certain privileges X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2012 09:29:53 -0000 On 2012-04-28 09:50, Zenny wrote: > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: ... >> try sudo from ports, security/sudo > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). This isn't true. With sudo, you can give specific users, or groups of users, restricted lists of commands they can run, and even specify on which particular machines they can be run. Please take a look at the nicely documented sample sudoers file: http://www.sudo.ws/sudo/sample.sudoers For example, these lines may do more or less what you want: # users in the secretaries netgroup need to help manage the printers # as well as add and remove users +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowed john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* # jen can run anything on all machines except the ones # in the "SERVERS" Host_Alias jen ALL, !SERVERS = ALL # jill can run any commands in the directory /usr/bin/, except for # those in the SU and SHELLS aliases. jill SERVERS = /usr/bin/, !SU, !SHELLS # steve can run any command in the directory /usr/local/op_commands/ # as user operator. steve CSNETS = (operator) /usr/local/op_commands/ # matt needs to be able to kill things on his workstation when # they get hung. matt valkyrie = KILL