sudoedit, restricting to particular folder

Lawrence Horvath lordsporkton at gmail.com
Sat Jun 3 22:52:00 PDT 2006 

Well, the problem with that would be that we are editing about 4000
zone files(that includes forwards and reverses) so an entry for each
zone wouldnt do, that it why i was hoping to make it effective on a
whole folder, not just one file or two. I was considering a folder
permissions solution, that seems like it would work well i think, then
i could use sudo to resrict to only rndc and let them have group write
access on the zones folder, i think that would be better then
sudoedit.

On 6/2/06, N.J. Thomas <njt at ayvali.org> wrote:
> * Lawrence Horvath <lordsporkton at gmail.com> [2006-06-01 22:13:39 -0700]:
> > well in that case what can uyou recommend for editing only zone files
> > and being able to run rndc, that is my main  goal, i need to lock a
> > system so that only "rndc reload", "rndc reconfig" and editing zone
> > files is possible by a group of users, any suggestins? and/or how do
> > you do this?
>
> Restricting a group of users to run only "rndc reload" and "rndc
> reconfig" via sudo is trivial. sudoers(1) will explain how, and
> the sudoers file that comes with sudo is chock full of examples.
>
> Off the top of my head, you would do something like this:
>
>     User_Alias  DNSOPS    = user1, user2, user3
>     Cmnd_Alias  DNSRELOAD = /usr/sbin/rndc reload
>     Cmnd_Alias  DNSRECONF = /usr/sbin/rndc reconfig
>     DNSOPS      ALL       = DNSRELOAD, DNSRECONF
>
> Don't know if that parses properly, but you get the idea.
>
> As far as editing only zone files, if you know the names of the files
> that they need to edit, something like this is sufficient:
>
>     DNSOPS      ALL       = sudoedit /etc/named.conf
>     DNSOPS      ALL       = sudoedit /etc/rndc.conf
>     DNSOPS      ALL       = sudoedit /var/named/zone1
>     DNSOPS      ALL       = sudoedit /var/named/zone2
>
> However, if your users need to be able to create/modify/rename files
> under /var/named (as you mentioned in your OP), then you will need a
> properly written wrapper script.
>
> Thomas
>
> --
> N.J. Thomas
> njt at ayvali.org
> Etiamsi occiderit me, in ipso sperabo
>


-- 
-Lawrence

More information about the freebsd-questions mailing list