| View previous topic :: View next topic |
| Author |
Message |
tnt
Veteran
Joined: 27 Feb 2004
Posts: 1227
|
 Posted: Sat Dec 09, 2006 2:24 pm Post subject: DNS admin without root access ? |
 |
|
is there some (simple) way to make some user able to administer DNS without 'root access' to the system?
editing /etc/bind/named.conf and /var/bind/zone.files are ok, but how to make him able to start/stop/restart/reload named via /etc/init.d/named script?
_________________
gentoo user |
|
| Back to top |
|
 |
drwook
Veteran
Joined: 30 Mar 2005
Posts: 1324
Location: London
|
| Posted: Sat Dec 09, 2006 2:26 pm Post subject: |
|
|
| setuid the script and give execute to a group? |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5956
|
| Posted: Sat Dec 09, 2006 2:48 pm Post subject: Re: DNS admin without root access ? |
|
|
| tnt wrote: | is there some (simple) way to make some user able to administer DNS without 'root access' to the system?
editing /etc/bind/named.conf and /var/bind/zone.files are ok, but how to make him able to start/stop/restart/reload named via /etc/init.d/named script? |
you could always set the permissions on named and the init.d script to something the dns admin user can use 
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
tnt
Veteran
Joined: 27 Feb 2004
Posts: 1227
|
| Posted: Sat Dec 09, 2006 3:08 pm Post subject: |
|
|
I've changed ownerships and here's what I get:
| Code: | /etc/init.d/named stop
* /sbin/runscript.sh: must be root to run init scripts |
_________________
gentoo user |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat Dec 09, 2006 3:33 pm Post subject: |
|
|
DNS is so critical to a PC, anyone who can alter that might as well be root anyway.
What's the purpose of giving that ability to a non-root user? |
|
| Back to top |
|
|
tnt
Veteran
Joined: 27 Feb 2004
Posts: 1227
|
| Posted: Sat Dec 09, 2006 3:44 pm Post subject: |
|
|
I want some people to be able to alter DNS records for some zones and not be able to read/write/edit files in other users dirs - there's a lot of private data.
_________________
gentoo user |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5956
|
| Posted: Sun Dec 10, 2006 5:13 am Post subject: |
|
|
| tnt wrote: | I've changed ownerships and here's what I get:
| Code: | /etc/init.d/named stop
* /sbin/runscript.sh: must be root to run init scripts |
|
how about putting the user in the operator group? not sure whether that will open them all up or not. i'd test it before going into production.
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
tnt
Veteran
Joined: 27 Feb 2004
Posts: 1227
|
| Posted: Sun Dec 10, 2006 10:03 am Post subject: |
|
|
| Code: | # User must be root to run most script stuff (except status)
if [[ ${EUID} != "0" ]] && ! [[ $2 == "status" && $# -eq 2 ]] ; then
eerror "$0: must be root to run init scripts"
exit 1
fi
|
/sbin/runscript.sh checks if user is root and editing it to check for root and some other user didn't give good results - it stuck somewhere else... 
_________________
gentoo user |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Sun Dec 10, 2006 10:41 am Post subject: |
|
|
how about using sudo and have it configured so that only the needed commands are allowed for this specific user?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Kosa
Tux's lil' helper
Joined: 03 May 2005
Posts: 106
Location: Prague
|
|
| Back to top |
|
|
|
Networking & Security
