Re: sudoedit, restricting to particular folder
Well, the problem with that would be that we are editing about 4000 zone files(that includes forwards and reverses) so an entry for each zone wouldnt do, that it why i was hoping to make it effective on a whole folder, not just one file or two. I was considering a folder permissions solution, that seems like it would work well i think, then i could use sudo to resrict to only rndc and let them have group write access on the zones folder, i think that would be better then sudoedit. On 6/2/06, N.J. Thomas [EMAIL PROTECTED] wrote: * Lawrence Horvath [EMAIL PROTECTED] [2006-06-01 22:13:39 -0700]: well in that case what can uyou recommend for editing only zone files and being able to run rndc, that is my main goal, i need to lock a system so that only rndc reload, rndc reconfig and editing zone files is possible by a group of users, any suggestins? and/or how do you do this? Restricting a group of users to run only rndc reload and rndc reconfig via sudo is trivial. sudoers(1) will explain how, and the sudoers file that comes with sudo is chock full of examples. Off the top of my head, you would do something like this: User_Alias DNSOPS= user1, user2, user3 Cmnd_Alias DNSRELOAD = /usr/sbin/rndc reload Cmnd_Alias DNSRECONF = /usr/sbin/rndc reconfig DNSOPS ALL = DNSRELOAD, DNSRECONF Don't know if that parses properly, but you get the idea. As far as editing only zone files, if you know the names of the files that they need to edit, something like this is sufficient: DNSOPS ALL = sudoedit /etc/named.conf DNSOPS ALL = sudoedit /etc/rndc.conf DNSOPS ALL = sudoedit /var/named/zone1 DNSOPS ALL = sudoedit /var/named/zone2 However, if your users need to be able to create/modify/rename files under /var/named (as you mentioned in your OP), then you will need a properly written wrapper script. Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo -- -Lawrence ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudoedit, restricting to particular folder
* Lawrence Horvath [EMAIL PROTECTED] [2006-06-01 22:13:39 -0700]: well in that case what can uyou recommend for editing only zone files and being able to run rndc, that is my main goal, i need to lock a system so that only rndc reload, rndc reconfig and editing zone files is possible by a group of users, any suggestins? and/or how do you do this? Restricting a group of users to run only rndc reload and rndc reconfig via sudo is trivial. sudoers(1) will explain how, and the sudoers file that comes with sudo is chock full of examples. Off the top of my head, you would do something like this: User_Alias DNSOPS= user1, user2, user3 Cmnd_Alias DNSRELOAD = /usr/sbin/rndc reload Cmnd_Alias DNSRECONF = /usr/sbin/rndc reconfig DNSOPS ALL = DNSRELOAD, DNSRECONF Don't know if that parses properly, but you get the idea. As far as editing only zone files, if you know the names of the files that they need to edit, something like this is sufficient: DNSOPS ALL = sudoedit /etc/named.conf DNSOPS ALL = sudoedit /etc/rndc.conf DNSOPS ALL = sudoedit /var/named/zone1 DNSOPS ALL = sudoedit /var/named/zone2 However, if your users need to be able to create/modify/rename files under /var/named (as you mentioned in your OP), then you will need a properly written wrapper script. Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudoedit, restricting to particular folder
well in that case what can uyou recommend for editing only zone files and being able to run rndc, that is my main goal, i need to lock a system so that only rndc reload, rndc reconfig and editing zone files is possible by a group of users, any suggestins? and/or how do you do this? On 5/31/06, N.J. Thomas [EMAIL PROTECTED] wrote: * Kirk Strauser [EMAIL PROTECTED] [2006-05-30 16:30:45 -0500]: luser ALL = (root) sudoedit /home/luser/foo/* Why not give them root while you're at it: luser$ cd ~/foo; ln -s /etc/master.passwd; sudoedit ~/foo/master.passwd Yikes, he's right. Don't put that in your sudoers file. I found some notes on the sudo mailing lists while Googling, that luser ALL = (root) sudoedit /home/luser/foo/ would work one day for all files in /home/luser/foo/, IIRC Todd Miller said this would come out in version 1.7, but it looks like development of sudo has stalled, so short of writing your own wrapper script (which shouldn't be terribly hard) I don't know how to solve the original problem of restricting sudoedit to a particular directly using sudo alone. Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo -- -Lawrence ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudoedit, restricting to particular folder
* Kirk Strauser [EMAIL PROTECTED] [2006-05-30 16:30:45 -0500]: luser ALL = (root) sudoedit /home/luser/foo/* Why not give them root while you're at it: luser$ cd ~/foo; ln -s /etc/master.passwd; sudoedit ~/foo/master.passwd Yikes, he's right. Don't put that in your sudoers file. I found some notes on the sudo mailing lists while Googling, that luser ALL = (root) sudoedit /home/luser/foo/ would work one day for all files in /home/luser/foo/, IIRC Todd Miller said this would come out in version 1.7, but it looks like development of sudo has stalled, so short of writing your own wrapper script (which shouldn't be terribly hard) I don't know how to solve the original problem of restricting sudoedit to a particular directly using sudo alone. Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sudoedit
I am trying to get sudoedit to only work on a certain folder. So that you can only sudoedit files with in the /home/named folder. Cmnd_Alias COPY = /usr/local/bin/sudoedit /home/named/, /bin/cp, /bin/mv it would be something like that only that's not working. $ uname -a FreeBSD ns1.sporkton.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 $ sudo -V Sudo version 1.6.8p9 Thanks -- -Lawrence ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudoedit, restricting to particular folder
* Lawrence Horvath [EMAIL PROTECTED] [2006-05-30 13:46:33 -0700]: I am trying to get sudoedit to only work on a certain folder. So that you can only sudoedit files with in the /home/named folder. The following works for me: luser ALL = (root) sudoedit /home/luser/foo/* (Sudo 1.6.8p12, FreeBSD 5.4) hth, Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudoedit, restricting to particular folder
On Tuesday 30 May 2006 16:22, N.J. Thomas wrote: The following works for me: luser ALL = (root) sudoedit /home/luser/foo/* (Sudo 1.6.8p12, FreeBSD 5.4) Why not give them root while you're at it: luser$ cd ~/foo; ln -s /etc/master.passwd; sudoedit ~/foo/master.passwd -- Kirk Strauser The Day Companies ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
