it also comes down to this... if you are going to have people adding users, they should be people that have SOME level of trust. if you don't trust them to not INTENTIONALLY screw things up, don't give them access. write your wrapper to the best of your ability to take care of possible honest mistakes, and go from there.
On Sat, 11 Sep 2004 08:34:59 +0800, Paolo Alexis Falcone <[EMAIL PROTECTED]> wrote: > On Fri, 10 Sep 2004 08:38:11 +0800, John Summerfield > <[EMAIL PROTECTED]> wrote: > > Paul Johnson wrote: > > > > ><#secure method=pgp mode=sign> > > >-----BEGIN PGP SIGNED MESSAGE----- > > >Hash: SHA1 > > > > > >Gebhardt Thomas <[EMAIL PROTECTED]> writes: > > > > > > > > > > > >>it is possible to delegate the adding and removing of users to a > > >>non-root account without getting too much security hassle? > > >>(no alteration of system accounts possible, ...) > > >> > > >> > > > > > >Yup. > > > > > > > > > > > >>If so, is there an easy established/preferred/canonical way to do this? > > >> > > >> > > > > > >I believe sudo is probably what you're looking for. Other people > > >might be able to speak up about specific configurations needed to > > >facilitate limiting user ability to just adduser/deluser. > > > > > > > > > > > > I already explained that doesn't work. > > > > You can probably make a wrapper to make it safe, but allowing anyone the > > untramelled ability to create/change/delete accounts gives them the keys > > to the kingdom. > > It might be that the limits of what discretionary access controls have > already been hit - for more fine-grained access controls a customized > application would have to be coded, or a shift to stricter models of > system access (role-based comes into mind) would need to be done. > -- > Paolo Alexis Falcone > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- matt okeson-harlow Sen gutoj malgrandaj maro ne ekzistus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
