Emanuel Strobl wrote: > Oliver Fromme wrote: > > [...] > > How about using "sudo" or "super" (from ports collection)? > > Hmm, I never used these but I guess you have to enter the SuperUser > password. No, not necessarily. You can configure it in a way so that a script can be executed by specific users (or groups) under controlled conditions with root priviledges. If you've never used "sudo" or "super" before, I suggest you just give it a try and install /usr/ports/security/super. (Personally I prefer "super", because its configuration is m.) Here's a simple real-world configuration example: /srv/apache/cgi-bin/cvsweb /srv/apache/cgi-bin/cvsweb \ apache_at_example.de nargs=0 uid=cvs gid=<caller> \ env=PATH_INFO,QUERY_STRING,SCRIPT_NAME This enables the "apache" user to run the cvsweb CGI as the "cvs" user on the host example.de (with no arguments, and only passing the environment variables given). No password is required to be entered, obviously. Best regards Oliver PS: In my opinion, there is no reason to implement ACLs, permission modes or similar things for the sysctl MIB. That would add significant complexity for no real benefit, because there are already tools like sudo or super which can be used with great flexibility. For example, look at the existing sysctl vfs.usermount. When set to 1, it allows ordinary users to mount devices (provided they have access to the device and own the mount point). But: What if you want to enable users in group A to mount floppies and CDs, while allowing users in group B to mount USB memory sticks, but only read-only? What if you want to force them to mount things only in their home, but not in /tmp or anywhere else? What if you want to enable mounts only for those users who are logged on the console? What if you want to restrict by date or time? What if you want any user mount to be logged via syslog? All of that is really trivial to do with "super" (each is a one-liner in the configuration). -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead." -- RFC 1925Received on Wed Sep 28 2005 - 11:28:03 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:44 UTC