John Hasler wrote: > Doug writes: > > I'm not sure how you limit the superuser ability. > > By configuring exactly which commands each user is permitted to execute.
Perhaps an example sudoers configuration would help people:
User_Alias HOSTMASTERS = trent
Host_Alias DNSSERVERS = somehostname
Cmnd_Alias DNSZONEEDIT = \
sudoedit /etc/bind/db.example.com, \
sudoedit /etc/bind/db.example.net, \
sudoedit /etc/bind/db.example.org
Cmnd_Alias NAMEDCTL = \
/usr/sbin/rndc reload, \
/usr/sbin/service bind9 reload, \
/usr/sbin/service bind9 restart, \
/usr/sbin/service bind9 status
HOSTMASTERS DNSSERVERS = DNSZONEEDIT
HOSTMASTERS DNSSERVERS = NAMEDCTL
In the above user Trent can edit a few specific files. Trent can
cause the daemon to be reloaded. Can check the daemon status. Can
restart the daemon if needed. (Maybe they made an error in the file?
Maybe something else killed the daemon?)
Effectively Trent has all of the tools and power needed to perform the
job of hostmaster for those DNS zones. But Trent is otherwise not a
superuser on the system.
Bob
signature.asc
Description: Digital signature
