Restricting users from certain privileges
Dimitry Andric
dim at FreeBSD.org
Sat Apr 28 09:29:53 UTC 2012
On 2012-04-28 09:50, Zenny wrote:
> On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny at cs.huji.ac.il> wrote:
...
>> try sudo from ports, security/sudo
> Thanks Daniel, but sudo gives all (not selective) root privileges to the
> user (admin in my case).
This isn't true. With sudo, you can give specific users, or groups of
users, restricted lists of commands they can run, and even specify on
which particular machines they can be run.
Please take a look at the nicely documented sample sudoers file:
http://www.sudo.ws/sudo/sample.sudoers
For example, these lines may do more or less what you want:
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
More information about the freebsd-stable
mailing list