restriction by UID range?

Brown, Tony TBrown2 at nmff.org
Fri Sep 13 15:19:33 EDT 2002 

I could be wrong but if you have Solaris 9, why not use RBAC ... seems that this would be easier to pull of with that.

-----Original Message-----
From: bergman at merctech.com [mailto:bergman at merctech.com]
Sent: Friday, September 13, 2002 2:15 PM
To: sudo-users at sudo.ws
Subject: restriction by UID range?



I'd like to set up sudo (v. 1.6.6, under Solaris 9) so that trusted users can 
spawn a shell as another user, but only if the named user has a UID within a 
certain range.

In this hypothetical environment, user "joe" would be able to run anything 
(including spawning a shell) as any of the webaccounts (30000 >= UID >= 65536).

	#cat /etc/passwd	# hypothetical password file
	root:x:0:1:Super-User:/root:/usr/bin/bash
	daemon:x:1:1::/:
	bin:x:2:2::/usr/bin:
	sys:x:3:3::/:
	adm:x:4:4:Admin:/var/adm:
	joe:x:200:Joe:/export/home/joe:/bin/bash
	homepage:x:30025:30001:Home Page:/export/htdocs/homepage:/bin/bash
	webmaster:x:30026:30001:Web Master:/export/htdocs/webmaster:/bin/bash
	accounting:x:30027:30001:Accounting:/export/htdocs/accounting:/bin/bash
	finanace:x:30028:30001:Finance:/export/htdocs/finance:/bin/bash

	#cat /etc/sudoers	# hypothetical sudoers config
	Runas_Alias WEBACCOUNTS=#[30000-65535]

	joe (WEBACCOUNTS) ALL

Is this possible, without a wrapper script?

Mark



	



____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential.  If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify us immediately by telephone at (312) 695-9166, indicating the sender's name, and destroy all copies of the transmittal. Thank you.

More information about the sudo-users mailing list