On Mon, Sep 17, 2007 at 10:49:04AM -0400, Woodchuck wrote:
> On Mon, 17 Sep 2007, Chris wrote:
>
> > On 9/17/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:
> > > problem is. This is why people keep asking you to explain the problem
> > > more.
> >
> > Sorry for being vague. Ok, I have these in /e
Chris wrote:
I am finding that I need to add joeuser to use pkg_* tools, tcpdump as well.
Is this the right way to do this?
You might as well give joeuser root password if you give him access to
pkg_add and pkg_delete tools.
package framework has ability to run scripts as root. All joeus
On Sun, 16 Sep 2007, Matthew Szudzik wrote:
> What's a laptop user to do?
Run as root -- why not?
Be careful. Limit PATH. Keep the cat off the keyboard. (This
can be pesky if you're using vi at the time.)
Open a root xterm, make the background some weird color, use a font
and size you don't
Chris,
Hrmm...
Chris> Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser.
Chris> joeuser is also in the wheel group.
[...]
Chris> I am finding that I need to add joeuser to use pkg_* tools, tcpdump as
Chris> well.
Chris>
Chris> Is this the right way to do this?
Um, these are
On 9/17/07, Chris <[EMAIL PROTECTED]> wrote:
> Ok, I have these in /etc/sudoers for joeuser.
> joeuser is also in the wheel group.
Why are you adding wheel group membership? Root access through
sudo(8) does not require the user to be a member of wheel, but su(8)
does.
Jim
On Mon, Sep 17, 2007 at 09:52:06AM -0400, Matthew Szudzik wrote:
> > If you're in operator, you can at least shutdown or reboot your system
> > with /sbin/shutdown (which is setuid root and executable by those in
> > operator).
>
> But (as I mentioned in the message), shutdown makes a very annoyin
On Mon, 17 Sep 2007, Chris wrote:
> On 9/17/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:
> > problem is. This is why people keep asking you to explain the problem
> > more.
>
> Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser.
> joeuser is also in the wheel group.
>
> joeuse
On 2007/09/17 09:52, Matthew Szudzik wrote:
> But (as I mentioned in the message), shutdown makes a very annoying beep.
You might find this useful:
$ grep bell /usr/src/etc/wsconsctl.conf
#keyboard.bell.volume=0 # mute keyboard beep
> If you're in operator, you can at least shutdown or reboot your system
> with /sbin/shutdown (which is setuid root and executable by those in
> operator).
But (as I mentioned in the message), shutdown makes a very annoying beep.
When shutting down the laptop in a hushed boardroom or lecture ha
On Sun, Sep 16, 2007 at 10:33:59PM -0400, Matthew Szudzik wrote:
| /sbin/halt
| Does anyone currently use the operator group for anything, or is it just a
| historical vestige? Would there be anything wrong with giving the
| operator enough hardware access to run the commands above?
If you're
* Matthew Szudzik <[EMAIL PROTECTED]> [2007-09-17 04:41]:
> Does anyone currently use the operator group for anything
sure, taking dump(8)s
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated S
On 9/17/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:
> problem is. This is why people keep asking you to explain the problem
> more.
Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser.
joeuser is also in the wheel group.
joeuser server = NOPASSWD: /sbin/mount, /usr/libexec/loca
Matthew Szudzik wrote:
The fact that you need to provide normal users with these kind of
privileges indicates a possible flaw in your overall scheme. You may
find that, after careful reconsideration, there are precious few
commands that you would actually have to allow the users to run with
su
On Sun, 16 Sep 2007, Matthew Szudzik wrote:
Does anyone currently use the operator group for anything, or is it just a
I do, for backups.
--
Antoine
> The fact that you need to provide normal users with these kind of
> privileges indicates a possible flaw in your overall scheme. You may
> find that, after careful reconsideration, there are precious few
> commands that you would actually have to allow the users to run with
> superuser privil
Ted Unangst wrote:
>
> cp /bin/sh /usr/local/bin/xsh
> chmod u+s /usr/local/bin/xsh
>
> then only tell the trusted users about xsh,
> and you can avoid sudo altogether.
Ohhh... EEEVVVILLL... :)
--
[100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
On 9/16/07, Chris <[EMAIL PROTECTED]> wrote:
> So what's the "ideal" way to do things? Adding joeuser in the wheel
> group and then add - joeuser ALL=(ALL) ALL in sudoers? And when the
> joeuser account gets cracked, the cracker would be able to run
> privileged commands?
cp /bin/sh /usr/local/b
Chris,
Thanks for the message...
Chris> So what's the "ideal" way to do things?
Of course, the ``ideal'' way to do anything really depends on what you want to
do. It would help if you could give us some more details about what you are
trying to do on the grand scheme of things, so that we coul
On Sun, Sep 16, 2007 at 05:14:30PM +1000, Chris wrote:
> So what's the "ideal" way to do things?
Ok, here's the scoop... there is NO single best way. There are lots of
ways to solve these kinds of problems, and "ideal" changes with what the
problem is. This is why people keep asking you to explain
On 9/16/07, Chris <[EMAIL PROTECTED]> wrote:
>
> So what's the "ideal" way to do things? Adding joeuser in the wheel
> group and then add - joeuser ALL=(ALL) ALL in sudoers? And when the
> joeuser account gets cracked, the cracker would be able to run
> privileged commands? That defies the whole p
Chris wrote:
> ...
> user server = NOPASSWD: /sbin/mount, /usr/libexec/locate.updatedb
I might suggest using groups rather than individual users in sudoers.
On the small scale both are about the same, but using groups scales
better (both time and quantity).
So the above could be for the group ej
Chris wrote:
On 9/16/07, Aaron W. Hsu <[EMAIL PROTECTED]> wrote:
What exactly are you trying to enable users to do? The fact that you need to
provide normal users with these kind of privileges indicates a possible flaw
in your overall scheme. You may find that, after careful reconsideration,
the
On 9/16/07, Aaron W. Hsu <[EMAIL PROTECTED]> wrote:
> What exactly are you trying to enable users to do? The fact that you need to
> provide normal users with these kind of privileges indicates a possible flaw
> in your overall scheme. You may find that, after careful reconsideration,
> there are p
On 9/15/07, Chris <[EMAIL PROTECTED]> wrote:
> I been looking for ways to let normal user run privileged commands and
> after some searching found that adding users to the wheel group is bad
> and also adding NOPASSWD and ALL = ALL to sudoers for an user is also
> plain as bad. The only alternative
What exactly are you trying to enable users to do? The fact that you need to
provide normal users with these kind of privileges indicates a possible flaw
in your overall scheme. You may find that, after careful reconsideration,
there are precious few commands that you would actually have to allo
25 matches
Mail list logo
