Re: howto delegate user administration to non-root account?
On Fri, 10 Sep 2004 08:38:11 +0800, John Summerfield
<debian@computerdatasafe.com.au> wrote:
> Paul Johnson wrote:
>
> ><#secure method=pgp mode=sign>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Gebhardt Thomas <gebhardt@hrz.uni-marburg.de> writes:
> >
> >
> >
> >>it is possible to delegate the adding and removing of users to a
> >>non-root account without getting too much security hassle?
> >>(no alteration of system accounts possible, ...)
> >>
> >>
> >
> >Yup.
> >
> >
> >
> >>If so, is there an easy established/preferred/canonical way to do this?
> >>
> >>
> >
> >I believe sudo is probably what you're looking for. Other people
> >might be able to speak up about specific configurations needed to
> >facilitate limiting user ability to just adduser/deluser.
> >
> >
>
>
> I already explained that doesn't work.
>
> You can probably make a wrapper to make it safe, but allowing anyone the
> untramelled ability to create/change/delete accounts gives them the keys
> to the kingdom.
It might be that the limits of what discretionary access controls have
already been hit - for more fine-grained access controls a customized
application would have to be coded, or a shift to stricter models of
system access (role-based comes into mind) would need to be done.
--
Paolo Alexis Falcone
pfalcone@gmail.com
Reply to: