Chris wrote:
I am finding that I need to add joeuser to use pkg_* tools, tcpdump as well.
Is this the right way to do this?
You might as well give joeuser root password if you give him access to
pkg_add and pkg_delete tools.
package framework has ability to run scripts as root. All joeuser needs
to do is create his own package.tgz and run pkg_add $HOME/package.tgz.
I agree with others in this thread: your security design is flawed.
* Work towards alternative solutions when possible (i.e. can joeuser run
Ethereal from the client machine to get the network traffic instead of
tcpdump on the server?)
* Give read access if all they need is read-only.
* Don't push sysadmin work on the ?web developer (joeuser)? package
management is a perfect example. tcp dumps slightly less so.
* Mount does not necessarily require root. See mount and sysctl.conf
man pages for conditions and sysctl settings.
If you still want to go the sudo route after the comments you have
received, that is your decision. You can create server, user and
command groups in sudoers to help keep your sudoers file sane. See man
page for exact syntax.
-Keith
