[prev in list] [next in list] [prev in thread] [next in thread]
List: sudo-users
Subject: RE: restriction by UID range?
From: "Brown, Tony" <TBrown2 () nmff ! org>
Date: 2002-09-13 19:19:33
Message-ID: D00D0959240EAF40970DA00A10A91656A129D1 () nmffmail2 ! nmff ! org
[Download RAW message or body]
I could be wrong but if you have Solaris 9, why not use RBAC ... seems that this \
would be easier to pull of with that.
-----Original Message-----
From: bergman@merctech.com [mailto:bergman@merctech.com]
Sent: Friday, September 13, 2002 2:15 PM
To: sudo-users@sudo.ws
Subject: restriction by UID range?
I'd like to set up sudo (v. 1.6.6, under Solaris 9) so that trusted users can
spawn a shell as another user, but only if the named user has a UID within a
certain range.
In this hypothetical environment, user "joe" would be able to run anything
(including spawning a shell) as any of the webaccounts (30000 >= UID >= 65536).
#cat /etc/passwd # hypothetical password file
root:x:0:1:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
joe:x:200:Joe:/export/home/joe:/bin/bash
homepage:x:30025:30001:Home Page:/export/htdocs/homepage:/bin/bash
webmaster:x:30026:30001:Web Master:/export/htdocs/webmaster:/bin/bash
accounting:x:30027:30001:Accounting:/export/htdocs/accounting:/bin/bash
finanace:x:30028:30001:Finance:/export/htdocs/finance:/bin/bash
#cat /etc/sudoers # hypothetical sudoers config
Runas_Alias WEBACCOUNTS=#[30000-65535]
joe (WEBACCOUNTS) ALL
Is this possible, without a wrapper script?
Mark
____________________________________________________________
sudo-users mailing list <sudo-users@sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
This e-mail is intended only for the use of the individual or entity to which it is \
addressed and may contain information that is privileged and confidential. If the \
reader of this e-mail message is not the intended recipient, you are hereby notified \
that any dissemination, distribution or copying of this communication is prohibited. \
If you have received this e-mail in error, please notify us immediately by telephone \
at (312) 695-9166, indicating the sender's name, and destroy all copies of the \
transmittal. Thank you.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic