On Fri, 10 Sep 2004 08:38:11 +0800, John Summerfield <[EMAIL PROTECTED]> wrote: > Paul Johnson wrote: > > ><#secure method=pgp mode=sign> > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Gebhardt Thomas <[EMAIL PROTECTED]> writes: > > > > > > > >>it is possible to delegate the adding and removing of users to a > >>non-root account without getting too much security hassle? > >>(no alteration of system accounts possible, ...) > >> > >> > > > >Yup. > > > > > > > >>If so, is there an easy established/preferred/canonical way to do this? > >> > >> > > > >I believe sudo is probably what you're looking for. Other people > >might be able to speak up about specific configurations needed to > >facilitate limiting user ability to just adduser/deluser. > > > > > > > I already explained that doesn't work. > > You can probably make a wrapper to make it safe, but allowing anyone the > untramelled ability to create/change/delete accounts gives them the keys > to the kingdom.
It might be that the limits of what discretionary access controls have already been hit - for more fine-grained access controls a customized application would have to be coded, or a shift to stricter models of system access (role-based comes into mind) would need to be done. -- Paolo Alexis Falcone [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
