Date: Sat, 28 Apr 2012 12:47:49 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Dimitry Andric <dim@freebsd.org> Cc: Zenny <garbytrash@gmail.com>, "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Restricting users from certain privileges Message-ID: <20120428094749.GF2358@deviant.kiev.zoral.com.ua> In-Reply-To: <4F9BB896.8040005@FreeBSD.org> References: <CACuV5sCyCgn8aBawTEP=BT%2B%2B4Ut4kPt8fXSq%2BgcS2YrkZaU%2BJw@mail.gmail.com> <E1SO2ER-000K66-8k@kabab.cs.huji.ac.il> <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com> <4F9BB896.8040005@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--htO1hhWexm+U+1ye Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 28, 2012 at 11:29:58AM +0200, Dimitry Andric wrote: > On 2012-04-28 09:50, Zenny wrote: > > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny@cs.huji.ac.il> w= rote: > ... > >> try sudo from ports, security/sudo > > Thanks Daniel, but sudo gives all (not selective) root privileges to the > > user (admin in my case). >=20 > This isn't true. With sudo, you can give specific users, or groups of > users, restricted lists of commands they can run, and even specify on > which particular machines they can be run. Sure, but if the allowed commands were not specifically designed to be run with elevated privileges, you typically give the user ability to run any command with elevated privileges. Even specially designed commands sometimes give away much more power then intended. --htO1hhWexm+U+1ye Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAk+bvMQACgkQC3+MBN1Mb4hWuwCfX4mbiqM8unepiC2FukO+FyUW 7J0AoO+QB5Bw2dokA9pdVXHhRIIkpupy =7IlQ -----END PGP SIGNATURE----- --htO1hhWexm+U+1ye--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120428094749.GF2358>