restriction by UID range?

bergman at merctech.com bergman at merctech.com
Fri Sep 13 15:14:57 EDT 2002


I'd like to set up sudo (v. 1.6.6, under Solaris 9) so that trusted users can 
spawn a shell as another user, but only if the named user has a UID within a 
certain range.

In this hypothetical environment, user "joe" would be able to run anything 
(including spawning a shell) as any of the webaccounts (30000 >= UID >= 65536).

	#cat /etc/passwd	# hypothetical password file
	root:x:0:1:Super-User:/root:/usr/bin/bash
	daemon:x:1:1::/:
	bin:x:2:2::/usr/bin:
	sys:x:3:3::/:
	adm:x:4:4:Admin:/var/adm:
	joe:x:200:Joe:/export/home/joe:/bin/bash
	homepage:x:30025:30001:Home Page:/export/htdocs/homepage:/bin/bash
	webmaster:x:30026:30001:Web Master:/export/htdocs/webmaster:/bin/bash
	accounting:x:30027:30001:Accounting:/export/htdocs/accounting:/bin/bash
	finanace:x:30028:30001:Finance:/export/htdocs/finance:/bin/bash

	#cat /etc/sudoers	# hypothetical sudoers config
	Runas_Alias WEBACCOUNTS=#[30000-65535]

	joe (WEBACCOUNTS) ALL

Is this possible, without a wrapper script?

Mark



	






More information about the sudo-users mailing list