"Daniel V. Klein" <d...@lonewolf.com> wrote:
On Aug 13, 2011, at 9:38 AM, Diego Zamboni wrote: > Hi Tom, > >> 1) Are you aware of a wrapper, unique shell or simiar tool that could >> provide root level access at a read only level? > > What comes to mind is to put the read-only functionality you want in a > specific program, and then give sudo access to certain people *only* to that > program. As long as (a big assumption!) that program only does what it's > meant to, and doesn't have any ways of braking out into a shell, those people > should only be able to have root powers as far as the functionality of the > program allows them. Can you say "sudo"? -Dan _____________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine I think diego is just pointing out that even though you can restrict which users can elevate permissions for specific binaries you cant control what that program does with those elevated privileges. If a program runs as root it can do what it likes. Consider what happens if the program provides a way too shell out and execute arbitrary command itself. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
