[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Admin for E-MAIL users only

On Thu, 4 Jul 2002 13:26, Fraser Campbell wrote:
> On Thu, 2002-07-04 at 12:55, rj wrote:
> > What is the best way to delegate some root privileges for a user
> > which could only create e-mail accounts and make newaliases?
> sudo.  We write a couple of wrapper scripts around adduser (it does a
> few other things as well) and allow access to it through sudo.
> An even better (or at least potentially easier) method put the users in
> a database or LDAP.  Most MTA and Linux itself support lookups of
> aliases and users in this fashion, wrapping a web interface around a db
> (and likely LDAP) isn't too hard.

Delegating administrative access to one tree of an LDAP directory is easy.  
Preventing it from being used maliciously is another issue.  A hostile user 
could create a new LDAP entry with a UID of 0...

Of course you could get an email server and POP server that both use LDAP 
only to store account details so there is never a Unix account, but that's 
painful to setup.

Restricting someone who has UID=0 in a chroot environment from taking over 
the rest of the machine is easy enough though...

I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: