On Thu, 4 Jul 2002 13:26, Fraser Campbell wrote: > On Thu, 2002-07-04 at 12:55, rj wrote: > > What is the best way to delegate some root privileges for a user > > which could only create e-mail accounts and make newaliases? > > sudo. We write a couple of wrapper scripts around adduser (it does a > few other things as well) and allow access to it through sudo. > > An even better (or at least potentially easier) method put the users in > a database or LDAP. Most MTA and Linux itself support lookups of > aliases and users in this fashion, wrapping a web interface around a db > (and likely LDAP) isn't too hard.
Delegating administrative access to one tree of an LDAP directory is easy. Preventing it from being used maliciously is another issue. A hostile user could create a new LDAP entry with a UID of 0... Of course you could get an email server and POP server that both use LDAP only to store account details so there is never a Unix account, but that's painful to setup. Restricting someone who has UID=0 in a chroot environment from taking over the rest of the machine is easy enough though... -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
