Date: Mon, 29 May 2006 13:59:59 +0200 From: "Aitor San Juan" <asanjuan@bolsabilbao.es> To: <freebsd-questions@freebsd.org> Subject: Restrict access to custom shell scripts Message-ID: <6FA4E8E8A0FAD64F9AF5A1F0FDB8C6EE1211@BB06.bolsabilbao.local>
next in thread | raw e-mail | index | archive | help
Hi list! I have developped several Bourne shell scripts that help some users to accomplish general tasks by choosing an option from a list of = options. Such options include, for example, displaying the size of filesystems, (un)mounting filesystems, user account management (add/remove/lock = users, etc). As you can imagine, many of these options will require the user to have superuser authorisations. It would be desirable that only a few users have the permission to = execute these shell scripts. Following are my 2 approaches. I don't know which = is the best. In addition, but I need some further help details of how to accomplish it, so any hint or suggestion would be highly appreciated. Thanks in advance. ----------- APPROACH 1: ----------- Make root the owner of these shell scripts (rwx). Create a group and = make the shell scripts only executable for users belonging to this new group = (r-x). For the rest of the world, no permissions. Until here, I see apparently = no problems. But what about the permissions to execute some of the commands encapsulated by the shell scripts? For example, adding users, editing = crontabs of other users, (un)mounting filesystems... I wouldn't like the users = belonging to this new group to have/belong directly root permissions. ----------- APPROACH 2: ----------- Create a special user whose shell entry could be the main shell script = (the one who shows the menu of options), that is, no /bin/sh entry or alike, = instead the full path to the script who shows the main menu. Then the users = should be allowed to change their ID to this special user (using su for example). = Again, once su'ed to this user, what the superuser permissions required by most = of the options showed in the menu? ************ LEGEZKO OHARRA / AVISO LEGAL / LEGAL ADVICE *************=20 Mezu honek isilpeko informazioa gorde dezake, edo jabea duena, edota = legez babestuta dagoena. Zuri zuzendua ez bada, bidali duenari esan eta = ezabatu, inori berbidali edo gorde gabe, legeak debekatzen duelako = mezuak erabiltzea baimenik gabe.=20 -------------------------------------------------------------------------= - Este mensaje puede contener informaci=F3n confidencial, en propiedad o = legalmente protegida. Si usted no es el destinatario, le rogamos lo = comunique al remitente y proceda a borrarlo, sin reenviarlo ni = conservarlo, ya que su uso no autorizado est=E1 prohibido legalmente. -------------------------------------------------------------------------= - This message may contain confidential, proprietary or legally privileged = information. If you are not the intended recipient of this message, = please notify it to the sender and delete without resending or backing = it, as it is legally prohibited. *************************************************************************= *
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6FA4E8E8A0FAD64F9AF5A1F0FDB8C6EE1211>