From owner-freebsd-questions@FreeBSD.ORG Mon May 29 12:00:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79B2716A8B0 for ; Mon, 29 May 2006 12:00:11 +0000 (UTC) (envelope-from asanjuan@bolsabilbao.es) Received: from correo-2.bolsabilbao.es (eu77-209.clientes.euskaltel.es [212.8.77.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A63243D66 for ; Mon, 29 May 2006 12:00:02 +0000 (GMT) (envelope-from asanjuan@bolsabilbao.es) Received: from correo_6.bolsabilbao.es ([10.33.5.206]) by correo-2.bolsabilbao.es with Microsoft SMTPSVC(6.0.3790.1830); Mon, 29 May 2006 14:00:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 29 May 2006 13:59:59 +0200 Message-ID: <6FA4E8E8A0FAD64F9AF5A1F0FDB8C6EE1211@BB06.bolsabilbao.local> Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Restrict access to custom shell scripts thread-index: AcaDF2kLGXu1eHE3QXi6SZUi72ko+Q== From: "Aitor San Juan" To: Importance: normal Priority: normal X-OriginalArrivalTime: 29 May 2006 12:00:01.0074 (UTC) FILETIME=[69E50120:01C68317] X-ExchangeSecure-AntiSpam: valid(0) Subject: Restrict access to custom shell scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 12:00:18 -0000 Hi list! I have developped several Bourne shell scripts that help some users to accomplish general tasks by choosing an option from a list of = options. Such options include, for example, displaying the size of filesystems, (un)mounting filesystems, user account management (add/remove/lock = users, etc). As you can imagine, many of these options will require the user to have superuser authorisations. It would be desirable that only a few users have the permission to = execute these shell scripts. Following are my 2 approaches. I don't know which = is the best. In addition, but I need some further help details of how to accomplish it, so any hint or suggestion would be highly appreciated. Thanks in advance. ----------- APPROACH 1: ----------- Make root the owner of these shell scripts (rwx). Create a group and = make the shell scripts only executable for users belonging to this new group = (r-x). For the rest of the world, no permissions. Until here, I see apparently = no problems. But what about the permissions to execute some of the commands encapsulated by the shell scripts? For example, adding users, editing = crontabs of other users, (un)mounting filesystems... I wouldn't like the users = belonging to this new group to have/belong directly root permissions. ----------- APPROACH 2: ----------- Create a special user whose shell entry could be the main shell script = (the one who shows the menu of options), that is, no /bin/sh entry or alike, = instead the full path to the script who shows the main menu. Then the users = should be allowed to change their ID to this special user (using su for example). = Again, once su'ed to this user, what the superuser permissions required by most = of the options showed in the menu? ************ LEGEZKO OHARRA / AVISO LEGAL / LEGAL ADVICE *************=20 Mezu honek isilpeko informazioa gorde dezake, edo jabea duena, edota = legez babestuta dagoena. Zuri zuzendua ez bada, bidali duenari esan eta = ezabatu, inori berbidali edo gorde gabe, legeak debekatzen duelako = mezuak erabiltzea baimenik gabe.=20 -------------------------------------------------------------------------= - Este mensaje puede contener informaci=F3n confidencial, en propiedad o = legalmente protegida. Si usted no es el destinatario, le rogamos lo = comunique al remitente y proceda a borrarlo, sin reenviarlo ni = conservarlo, ya que su uso no autorizado est=E1 prohibido legalmente. -------------------------------------------------------------------------= - This message may contain confidential, proprietary or legally privileged = information. If you are not the intended recipient of this message, = please notify it to the sender and delete without resending or backing = it, as it is legally prohibited. *************************************************************************= *