Date: Fri, 05 Apr 2002 13:36:48 +1000 From: Andrew Johns <johnsa@kpi.com.au> To: Anthony Schneider <aschneid@mail.slc.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: a possible solution (re: su thread) Message-ID: <3CAD1BD0.8030008@kpi.com.au> References: <20020327163901.A33089@mail.slc.edu> <20020327171502.A33652@mail.slc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Anthony Schneider wrote: > oh, by the way, as another person mentioned to me already, this idea > is also quite akin to notions in the trustedbsd paradigm. he's right, > it is. the idea is that the tool would be extremely portable across > *NIX platforms. it would of course in no way stand above trustedbsd, > and that is not my intention. it would, however, somewhat mirror > access control policies in trustedbsd in userland. again, any ideas > on how to make this more flexible, secure, etc., are wolcomed. > -Anthony. > While doing some work recently, we came across sus - an interesting utility used where "many users need to run commands as root, but where sudo was too limited and su too powerful". http://pdg.uow.edu.au/sus/index.html From the homepage: SUS is a utility to allow a user (typically a system administrator) to run a single command as the super user. SUS reads a configuration file which determines if the user may execute the command or not. Some of the more advanced features of SUS are: * the configuration file is preprocessed as it is read by a "CPP style proprocessor." * an ability to define a class of system objects (users, groups, files, hosts or proccesses) by their attributes. * an ability to treat arguments passed to the target command as references to system objects and allow or reject commands based on the membership of such objects to predefined object classes. * the ability to run commands as users other than root. * the ability to run commands in background as session leaders. * the ability to let a user run a command as a target user if the invoking user can authenticate as the target user. I haven't tried compiling this on BSD, but it might get you some of the way there (or perhaps not). I'm interested in any comments on the code, etc. There are no copyright notices in the code or on the site, but I've emailed the author to determine the state of this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CAD1BD0.8030008>