Hi!
> > > Please do study sudo real power :-)
> > > It can give selective privileges per-command,
[...]
> > Just make sure none of the permitted commands has got the
> > feature of starting a shell ;-))
>
> Right, think of vi(1), less(1), et al.
Even this aspect is taken care of with sudo (at least to a certain limit):
NOEXEC and EXEC
If sudo has been compiled with noexec support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
In the following example, user aaron may run /usr/bin/more and
/usr/bin/vi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
how NOEXEC works and whether or not it will work on your system.
--
p...@opsec.eu +49 171 3101372 8 years to go !
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
