fc543e03c6
o restricted setuid-root access to executables, adjustable on a per-program and per-user basis; o a relatively secure environment for scripts, so that well-written scripts can be run as root (or some other uid/gid), without unduly compromising security. See pkg/DESCR for a comparson w/sudo.
52 lines
2 KiB
Text
52 lines
2 KiB
Text
Super is a setuid-root program that offers
|
|
|
|
o restricted setuid-root access to executables, adjustable
|
|
on a per-program and per-user basis;
|
|
|
|
o a relatively secure environment for scripts, so that well-written
|
|
scripts can be run as root (or some other uid/gid), without
|
|
unduly compromising security.
|
|
|
|
Sample uses:
|
|
- to call a script that allows users to use mount(8) on
|
|
cdrom's or floppy disks, but not other devices.
|
|
|
|
- to restrict which users, on which hosts, may execute a
|
|
setuid-root program.
|
|
|
|
- to allow groups of trusted users (e.g. an "operator" group) complete
|
|
root access to sets of selected commands such as, say, line-printer
|
|
control commands, without giving away access to other commands,
|
|
and with full logging of all commands used.
|
|
|
|
|
|
Super and sudo
|
|
--------------
|
|
Sudo --
|
|
Sudo allows a permitted user to execute a command as the superuser.
|
|
Its central design philosophy is that each user can be
|
|
trusted when executing certain commands. This is implemented
|
|
by allowing each user to execute the restricted commands for
|
|
which s/he is trusted, without giving access to other restricted commands.
|
|
|
|
Super --
|
|
The design philosophy behind super is two-fold:
|
|
(a) some users can be trusted when executing certain commands;
|
|
(b) there are some commands, such as a script to mount CDROM's,
|
|
which you'd like to be safely executable even by users who
|
|
are NOT trusted. Although setuid-root scripts are insecure,
|
|
a good setuid-root wrapper around a sensible non-setuid script
|
|
can be hard to break, and super provides that wrapper so that
|
|
even a non-trusted user can use the scripts.
|
|
|
|
In the author's view, the main differences to the administrator are:
|
|
|
|
(1) the files that specify valid user/command combinations have
|
|
a different look and feel.
|
|
|
|
(2) super provides a safe wrapper for scripts, so that a
|
|
well-written script can be run safely by ordinary
|
|
users without having to actually trust them.
|
|
|
|
|
|
-- David (obrien@FreeBSD.org)
|