On Fri, 2005-12-02 at 14:14 -0600, Mike McCarty wrote: > Scot L. Harris wrote: > > On Fri, 2005-12-02 at 14:17, Mike McCarty wrote: > > > >>Tim wrote: > >> > >>>On Fri, 2005-12-02 at 12:44 +0800, John Summerfied wrote: > >>> > >>> > >>>>A really big flaw in Unix design is the fact one user has the inherent > >>>>ability to do everything, the fact that the Unix security model is > >>>>built round this. > >>> > >>> > >>>A counterpoint to that, in the Windows world, is that you can have too > >>>many people able to do things that they shouldn't. They might think > >>>they need to do something special, they might want to do it, they might > >>>think they know what they're doing, but they're often wrong. > >> > >>The objection is not that there are not enough users who can > >>do things, but that there is one super duper user who can > >>do EVERYTHING AND ANYTHING. There is no finesse. Either > >>all or none. It might be useful to have someone who can > >>administer passwords, but not rm /etc/passwd, for example. > >>There is not enough resolution. > > > > > > You can configure sudoers to limit a user to specific commands that they > > can run as root when needed without allowing that user to do everything > > root can. > > > > One cannot configure sudo such that one can "vi /etc/one_special_file" > but not "vi /etc/another_special_file". ---- I am DEFINITELY not an expert on sudoers file but... # tail -n 5 /etc/sudoers Cmnd_Alias IPOD=/sbin/modprobe -r sbp2 Cmnd_Alias EJECT=/usr/bin/eject /dev/sda2,/usr/bin/eject /dev/sdb2 # User privilege specification craig ALL=(ALL) ALL craig ALL= NOPASSWD : IPOD, EJECT makes me believe that I could only use modprobe and eject as prescribed if I didn't have the ALL=(ALL) ALL designation. Craig
