Allowing a user administrative tasks without roots password
Stephen Smalley
sds at epoch.ncsc.mil
Tue Oct 14 15:22:54 UTC 2003
On Tue, 2003-10-14 at 03:55, Louis Garcia wrote:
> I was wondering if it was possible to create a root like account but
> having it locked. This way you can control who has access to what
> without having to give up roots password.
>
> Lets say you allow users to change the clock. They call up the Date &
> Time capplet but instead of giving roots password they give this new
> account password. So now a user can modify the time but not be able to
> log in as root and do horrible thinks.
>
> Is this doable, or is more complicated? Maybe ACL would be better for
> this.
SELinux can support this based on the user's role. Dan Walsh has an
experimental patched userhelper for SELinux that makes use of this
ability to avoid requiring the root password to run the configuration
tools, and just relies on the user role authorizations. Work still
needs to be done on the policy to provide a reasonable set of
administrative roles.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-test-list
mailing list