restriction by UID range?
Brown, Tony
TBrown2 at nmff.org
Fri Sep 13 15:19:33 EDT 2002
I could be wrong but if you have Solaris 9, why not use RBAC ... seems that this would be easier to pull of with that.
-----Original Message-----
From: bergman at merctech.com [mailto:bergman at merctech.com]
Sent: Friday, September 13, 2002 2:15 PM
To: sudo-users at sudo.ws
Subject: restriction by UID range?
I'd like to set up sudo (v. 1.6.6, under Solaris 9) so that trusted users can
spawn a shell as another user, but only if the named user has a UID within a
certain range.
In this hypothetical environment, user "joe" would be able to run anything
(including spawning a shell) as any of the webaccounts (30000 >= UID >= 65536).
#cat /etc/passwd # hypothetical password file
root:x:0:1:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
joe:x:200:Joe:/export/home/joe:/bin/bash
homepage:x:30025:30001:Home Page:/export/htdocs/homepage:/bin/bash
webmaster:x:30026:30001:Web Master:/export/htdocs/webmaster:/bin/bash
accounting:x:30027:30001:Accounting:/export/htdocs/accounting:/bin/bash
finanace:x:30028:30001:Finance:/export/htdocs/finance:/bin/bash
#cat /etc/sudoers # hypothetical sudoers config
Runas_Alias WEBACCOUNTS=#[30000-65535]
joe (WEBACCOUNTS) ALL
Is this possible, without a wrapper script?
Mark
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify us immediately by telephone at (312) 695-9166, indicating the sender's name, and destroy all copies of the transmittal. Thank you.
More information about the sudo-users
mailing list