On Aug 22, 2006, at 3:48 PM, David Rocamora wrote:
On 8/22/06 2:12 PM, "Dan Shoop" <email@hidden> wrote:
You have a codified security policy, right?
Yeah. It's "don't give anyone admin access." :)
Ah...the easy way out. =-)
Maybe others have been in situations where a user requires admin
access. I
haven't.
The sudo command can be used for more than admin access. For
example, I have a user who needs to act as a different on a regular
basis. Using visudo, I add the following line:
username ALL=(otherusername) NOPASSWD: ALL
This allows the user to enter "sudo -u otherusername command_string"
and effectively be that user (in this case without a password). It's
not difficult to create a really specialized list of commands or user
group. Reading the sudo man page is really quite helpful. The
command is amazingly powerful in what it will allow you to do. The
only use people seem to think about is doing things as root.
You can also restrict the commands the person can run by doing
something like:
Cmnd_Alias SUPPORT = /usr/bin/less, /bin/more, /bin/chmod, /bin/
chown, /bin/cat
and then:
username ALL=(root) NOPASSWD: SUPPORT
This gives the person rights to run the listed commands as root, but
nothing else.
Also, if you need to be root with a complete root login, you can do
sudo -i which is a new feature in the recent upgrade to the version
in stalled in OS X. Using sudo -s gives you a login, but with your
environment as root. Using the -i will give you a full root login
simulating root's initial login (TERM is unchanged, but HOME, SHELL,
USER, LOGNAME, and PATH are set while all other environment variables
are unset).
-Michael
-----------------------------
Das Verhalten von Gates hatte mir bewiesen, dass ich auf ihn und
seine beiden Gefaehrten nicht rechnen durfte.
(The behavior of Gates proved to me that I couldn't count on him or
his two companions.)
-Karl May, Winnetou III Das Testament des Apachen
