On 11.03.2013 20:44, Samuele Kaplun wrote:
Hello Samulele!
[...]
and here she is allowed to become /any/ user. Even a user
with /more/ rights then she actually had herself. Ie.
every user that that has cfgwebaccess can effectively su
- root.
I wonder wether this is really intended... Looks like a
backdoor.
Not really a back-door but a limitation in this sense. In
the end, like on UNIX systems, the person who can edit
sudoers file can grant himself root rights. I don’t see a
quick workaround to this “feature” :-)
Well I admit that I don't give visudo to anyone except root
;) But I might give su - someone e.g.
What I'd like to enable is a su to users with less or
equal rights e.g. for our helpdesk. This would allow
them to check contents of some baskets or see some
workflowish stuff exactly as the enduser does.
OK. That actually exist (you might have seen it in the
Manage Accounts area in the form of the “Become user”
functionality.
Right. And I'd actually like to have that for our helpdesk.
However it is indeed available users authorized to
“cfgwebaccess” as you have well remarked.
Yepp.
But even though I really trust our helpdesk I'd like to
avoid them to have a bunch of admin options that only
cause confusion. This might happen by sheer chance as
usernames are e-mail addresses and I just count what
mails I get due to (near and excat) name dupes...
Indeed we might introduce more finer-grained tuning of
this action so that e.g. we might specially authorize the
“Become user” action. However, how to prevent authorized
user to become admin? There is no intrinsic sorting of
privileges... any suggestion, anybody?
At least for my usecase one might check if you gain
additional rights (rights you don't already have) if you su
to someone else. In a way checking if my current rights are
a superset of the newly gained.
That way I could enable STAFF to become EDITOR or USER which
are effectively two groups of users with less rights.
--
Kind regards,
Alexander Wagner
Subject Specialist
Central Library
52425 Juelich
mail : [email protected]
phone: +49 2461 61-1586
Fax : +49 2461 61-6103
www.fz-juelich.de/zb/DE/zb-fi
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
