Re: user changable brightness?

From: Oliver Fromme <olli_at_lurza.secnetix.de>
Date: Wed, 28 Sep 2005 15:28:00 +0200 (CEST)
Emanuel Strobl wrote:
 > Oliver Fromme wrote:
 > > [...]
 > > How about using "sudo" or "super" (from ports collection)?
 > 
 > Hmm, I never used these but I guess you have to enter the SuperUser
 > password.

No, not necessarily.  You can configure it in a way so that
a script can be executed by specific users (or groups) under
controlled conditions with root priviledges.

If you've never used "sudo" or "super" before, I suggest you
just give it a try and install /usr/ports/security/super.
(Personally I prefer "super", because its configuration is
m.)

Here's a simple real-world configuration example:

/srv/apache/cgi-bin/cvsweb /srv/apache/cgi-bin/cvsweb \
        apache_at_example.de nargs=0 uid=cvs gid=<caller> \
        env=PATH_INFO,QUERY_STRING,SCRIPT_NAME

This enables the "apache" user to run the cvsweb CGI as the
"cvs" user on the host example.de (with no arguments, and
only passing the environment variables given).  No password
is required to be entered, obviously.

Best regards
   Oliver

PS:  In my opinion, there is no reason to implement ACLs,
permission modes or similar things for the sysctl MIB.
That would add significant complexity for no real benefit,
because there are already tools like sudo or super which
can be used with great flexibility.

For example, look at the existing sysctl vfs.usermount.
When set to 1, it allows ordinary users to mount devices
(provided they have access to the device and own the
mount point).

But:  What if you want to enable users in group A to mount
floppies and CDs, while allowing users in group B to mount
USB memory sticks, but only read-only?  What if you want to
force them to mount things only in their home, but not in
/tmp or anywhere else?  What if you want to enable mounts
only for those users who are logged on the console?  What
if you want to restrict by date or time?  What if you want
any user mount to be logged via syslog?

All of that is really trivial to do with "super" (each is
a one-liner in the configuration).

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"With sufficient thrust, pigs fly just fine.  However, this
is not necessarily a good idea.  It is hard to be sure where
they are going to land, and it could be dangerous sitting
under them as they fly overhead." -- RFC 1925
Received on Wed Sep 28 2005 - 11:28:03 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:44 UTC