Re: a possible solution (re: su thread)
From: Andrew Johns (johnsa@kpi.com.au)
Date: 04/05/02
- Next message: Crist J. Clark: "Re: another natd question"
- Previous message: Jerry Connolly: "Re: info"
- In reply to: Anthony Schneider: "Re: a possible solution (re: su thread)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 05 Apr 2002 13:36:48 +1000 From: Andrew Johns <johnsa@kpi.com.au> To: Anthony Schneider <aschneid@mail.slc.edu>
Anthony Schneider wrote:
> oh, by the way, as another person mentioned to me already, this idea
> is also quite akin to notions in the trustedbsd paradigm. he's right,
> it is. the idea is that the tool would be extremely portable across
> *NIX platforms. it would of course in no way stand above trustedbsd,
> and that is not my intention. it would, however, somewhat mirror
> access control policies in trustedbsd in userland. again, any ideas
> on how to make this more flexible, secure, etc., are wolcomed.
> -Anthony.
>
While doing some work recently, we came across sus - an
interesting utility used where "many users need to run commands
as root, but where sudo was too limited and su too powerful".
http://pdg.uow.edu.au/sus/index.html
From the homepage:
SUS is a utility to allow a user (typically a system
administrator) to run a single command as the super user. SUS
reads a configuration file which determines if the user may
execute the command or not.
Some of the more advanced features of SUS are:
* the configuration file is preprocessed as it is read by a
"CPP style proprocessor."
* an ability to define a class of system objects (users,
groups, files, hosts or proccesses) by their attributes.
* an ability to treat arguments passed to the target command
as references to system objects and allow or reject commands
based on the membership of such objects to predefined object classes.
* the ability to run commands as users other than root.
* the ability to run commands in background as session leaders.
* the ability to let a user run a command as a target user
if the invoking user can authenticate as the target user.
I haven't tried compiling this on BSD, but it might get you some
of the way there (or perhaps not). I'm interested in any
comments on the code, etc. There are no copyright notices in the
code or on the site, but I've emailed the author to determine the
state of this.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Crist J. Clark: "Re: another natd question"
- Previous message: Jerry Connolly: "Re: info"
- In reply to: Anthony Schneider: "Re: a possible solution (re: su thread)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
