Allowing a user administrative tasks without roots password
Maynard Kuona
knxmay001 at mail.uct.ac.za
Tue Oct 14 15:28:05 UTC 2003
On Tue, 2003-10-14 at 17:22, Stephen Smalley wrote:
> On Tue, 2003-10-14 at 03:55, Louis Garcia wrote:
> > I was wondering if it was possible to create a root like account but
> > having it locked. This way you can control who has access to what
> > without having to give up roots password.
> >
> > Lets say you allow users to change the clock. They call up the Date &
> > Time capplet but instead of giving roots password they give this new
> > account password. So now a user can modify the time but not be able to
> > log in as root and do horrible thinks.
> >
> > Is this doable, or is more complicated? Maybe ACL would be better for
> > this.
>
> SELinux can support this based on the user's role. Dan Walsh has an
> experimental patched userhelper for SELinux that makes use of this
> ability to avoid requiring the root password to run the configuration
> tools, and just relies on the user role authorizations. Work still
> needs to be done on the policy to provide a reasonable set of
> administrative roles.
>
You can do this using sudo I am sure, but this will be command line
AFAIK. So, if, for instance, you want a users to be able to use apt, you
will give them access to /bin/apt*, and they will be able to run all apt
programs.
More information about the fedora-test-list
mailing list