Re: Restricting users from certain privileges
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDE7E428A2496BE4552C48D2B
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 04/28/2012 09:50 AM, Zenny wrote:
> On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss <danny@cs.huji.ac.il> w=
rote:
>
>>> Hi:
>>>
>>> I could not figure out how to restrict users or other users from cert=
ain
>>> privileges to execute certain commands in FreeBSD/NanoBSD?
>>>
>>> What I meant is I want to create a NanoBSD image in which there will =
be
>> an
>>> additional user, say 'admin'. I need to give this new user (admin) so=
me
>>> privileges to run some root-can-only-execute commands, but not all (A=
CL
>>> similar to the firmwares in adsl modems from ISPs).
>>>
>>> I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD
>>> Rootkits' besides FreeBSD handbook, but I simply could not figure out=
=2E
>>> Could anyone throw some light on this? Appreciate it!
>>>
>>> Thanks!
>>>
>>> /zenny
>> try sudo from ports, security/sudo
>>
>> cheers,
>> danny
>>
>>
> Thanks Daniel, but sudo gives all (not selective) root privileges to th=
e
> user (admin in my case). So this is not what I am trying to achieve in =
my
> original post.
If sudo does not work then what about using ACLs?
$ chmod og-rwx /bin/dangerous
$ setfacl -m "user:admin:rx" /bin/dangerous
--=20
VZ
--------------enigDE7E428A2496BE4552C48D2B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAk+btNIACgkQbJlIwZz1OoeeIQD+MIjTVskYf2evwKYFx3ajdnUD
fmAmKgtYIa88geYeav0A/jGFlTddkqipfPNUM1pC5z3s9VDsnT1Hc6i+7l6qo9et
=K4GL
-----END PGP SIGNATURE-----
--------------enigDE7E428A2496BE4552C48D2B--
討論串 (同標題文章)
完整討論串 (本文為第 15 之 16 篇):