[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-users
Subject:    RE: restriction by UID range?
From:       "Brown, Tony" <TBrown2 () nmff ! org>
Date:       2002-09-13 19:19:33
Message-ID: D00D0959240EAF40970DA00A10A91656A129D1 () nmffmail2 ! nmff ! org
[Download RAW message or body]

I could be wrong but if you have Solaris 9, why not use RBAC ... seems that this \
would be easier to pull of with that.

-----Original Message-----
From: bergman@merctech.com [mailto:bergman@merctech.com]
Sent: Friday, September 13, 2002 2:15 PM
To: sudo-users@sudo.ws
Subject: restriction by UID range?



I'd like to set up sudo (v. 1.6.6, under Solaris 9) so that trusted users can 
spawn a shell as another user, but only if the named user has a UID within a 
certain range.

In this hypothetical environment, user "joe" would be able to run anything 
(including spawning a shell) as any of the webaccounts (30000 >= UID >= 65536).

	#cat /etc/passwd	# hypothetical password file
	root:x:0:1:Super-User:/root:/usr/bin/bash
	daemon:x:1:1::/:
	bin:x:2:2::/usr/bin:
	sys:x:3:3::/:
	adm:x:4:4:Admin:/var/adm:
	joe:x:200:Joe:/export/home/joe:/bin/bash
	homepage:x:30025:30001:Home Page:/export/htdocs/homepage:/bin/bash
	webmaster:x:30026:30001:Web Master:/export/htdocs/webmaster:/bin/bash
	accounting:x:30027:30001:Accounting:/export/htdocs/accounting:/bin/bash
	finanace:x:30028:30001:Finance:/export/htdocs/finance:/bin/bash

	#cat /etc/sudoers	# hypothetical sudoers config
	Runas_Alias WEBACCOUNTS=#[30000-65535]

	joe (WEBACCOUNTS) ALL

Is this possible, without a wrapper script?

Mark



	



____________________________________________________________ 
sudo-users mailing list <sudo-users@sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



This e-mail is intended only for the use of the individual or entity to which it is \
addressed and may contain information that is privileged and confidential.  If the \
reader of this e-mail message is not the intended recipient, you are hereby notified \
that any dissemination, distribution or copying of this communication is prohibited. \
If you have received this e-mail in error, please notify us immediately by telephone \
at (312) 695-9166, indicating the sender's name, and destroy all copies of the \
transmittal. Thank you.


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic