Professional Web Applications Themes

"Transparent" privilege delegation? - Linux / Unix Administration

Hello everyone, As I'm sure we're all familiar, UNIX has a very classic system of permissions that has been used out-of-the-box for a long time now. However, I'm wondering if there is a (portable) way to configure something like a server, wherein 'sudo' isn't used, and yet I can delegate certain tasks to users. I know that there are ways around some things, such as permissions on hard drive devices and the ability to create backups and the like, by just adding the user to a group with that privilege and then letting them do whatever it is that you ...

  1. #1

    Default "Transparent" privilege delegation?

    Hello everyone,

    As I'm sure we're all familiar, UNIX has a very classic system of
    permissions that has been used out-of-the-box for a long time now.
    However, I'm wondering if there is a (portable) way to configure
    something like a server, wherein 'sudo' isn't used, and yet I can
    delegate certain tasks to users.

    I know that there are ways around some things, such as permissions on
    hard drive devices and the ability to create backups and the like, by
    just adding the user to a group with that privilege and then letting
    them do whatever it is that you want them to do. But this doesn't apply
    everywhere: If I have a user who has the role of "user administrator,"
    then is there some way (transparently) that I can give them that right?
    Or, would that require letting them write directly to the shadow
    database (which is obviously a Bad Thing(tm))?

    ACLs are another option, but they're not necessarily portable, and in
    case this server goes from Linux to Solaris, BSD, or anything else, or
    new servers are introduced in the network, I'd like to follow the same
    methods. It may be, perhaps, that the only way to make it "transparent"
    is to write a wrapper script that would call sudo with the rest of the
    command line arguments, but I don't like that idea, either.

    Any ideas?

    Thanks!
    Mike Trausch
    Michael Guest

  2. #2

    Default Re: "Transparent" privilege delegation?

    On Wed, 12 Apr 2006 14:39:38 -0400, Michael Trausch <nope.net> wrote: 

    Can you explain what you're trying to do that you're finding sudo to be
    insufficient for? Perhaps the solution might involve configuring sudo
    in a way which you haven't encountered yet; I can't remember the last
    time it didn't handle what I wanted.
     

    What about wrapper scripts are you uncomfortable with?

    Dave Guest

  3. #3

    Default Re: "Transparent" privilege delegation?

    Dave Hinz wrote On 04/12/2006 02:45 PM: 
    >
    > Can you explain what you're trying to do that you're finding sudo to be
    > insufficient for? Perhaps the solution might involve configuring sudo
    > in a way which you haven't encountered yet; I can't remember the last
    > time it didn't handle what I wanted.
    >[/ref]

    I'm just trying to get it to be transparent, really. The way that I
    have sudo configured at the moment is wonderful for me, but for some of
    the other people that I know, when they run four or five commands in a
    row that they have access to through sudo, they don't want to type 'sudo
    ' every time to prefix the command.
     
    >
    > What about wrapper scripts are you uncomfortable with?
    >[/ref]

    In the immediate future, nothing. However, since I work based on the
    premise of whitelisting things that are needed, over time I can see the
    number of these types of scripts growing quite a bit. I've also thought
    about system-wide shell aliases, but I don't know that I want to do
    that, either, because everyone has their own preferences and ideas on
    how to do them, what to call them, and whatever, and I don't want to
    potentially conflict with something that somebody else already has
    defined and all of that.

    Personally, I only use shell aliases for very quick things (like ll for
    a specially formatted 'ls' output, 'l' for 'ls -l', 'v' for 'ls -lF', etc.)

    Essentially, I want to think it through and ensure that whatever it is,
    it is portable, future-proof, and secure. I may well just stick with
    using sudo and maybe write a single wrapper script with different
    symlinks to it or something so that it can do various tasks based on the
    name of invocation, but I'm still wondering if there's a neater, cleaner
    solution.

    - Mike
    Michael Guest

  4. #4

    Default Re: "Transparent" privilege delegation?

    Michael Trausch <nope.net> wrote: 

    It sounds like what you want is Role Based Access Control (RBAC).
    It doesn't exist for all Unix systems, though.

    --
    Oh to have a lodge in some vast wilderness. Where rumors of oppression
    and deceit, of unsuccessful and successful wars may never reach me
    anymore.
    -- William Cowper
    Jeremiah Guest

  5. #5

    Default Re: "Transparent" privilege delegation?

    Jeremiah DeWitt Weiner wrote On 04/13/2006 10:57 AM: 
    >
    > It sounds like what you want is Role Based Access Control (RBAC).
    > It doesn't exist for all Unix systems, though.
    >[/ref]

    Very interesting. Thank you for this piece of information, I will do
    some research on it and see where that leads me.

    - Mike
    Michael Guest

Similar Threads

  1. wmode="transparent" and non-latin input: bug details
    By noregret.org in forum Macromedia Flash Player
    Replies: 9
    Last Post: December 18th, 10:05 PM
  2. "Least privilege" to run Word objects under IIS correctly
    By Rod Hermiz in forum ASP Components
    Replies: 0
    Last Post: August 19th, 01:39 PM
  3. Can't find the "make background transparent"
    By andypilot in forum Macromedia Director Basics
    Replies: 3
    Last Post: March 5th, 06:23 PM
  4. "Export Transparent Image" not working out of XP
    By Jeff Hollenberry in forum Adobe Photoshop 7, CS, CS2 & CS3
    Replies: 1
    Last Post: July 10th, 11:34 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139