Many thanks to the following: Allan West Andrew Caines Asif Iqbal David Booth Mitchell Bruntel William Cole Debbie Tropiano "hike1272-sunhelp" And the list continues to grow as so many others were willing to take the time out to respond. So if your name is not listed, it is not on purpose, but a big hearty thanks to you all :o) I'm going to use the recommendations provided by Chad Johnson and David Booth which is basically to create an alias for the user and then allow him all of root's privileges with the exception of a certain few. This is what Chad and David said: (from Chad) use sudo, but allow the user to execute a shell. Here is an example of what we have: User_Alias FULLTIMERS=user1,user2,user3.... ... FULLTIMERS ALL=NOPASSWD:ROOTSHELLS This allows user1,user2,user3... to do 'sudo ksh' and have root perms, but not to change root's pw. (from David) The only suggestion I can make is that you define what they are NOT allowed to do as a separate command group alias in sudoers, then assign them "ALL=ALL, !FORBIDDEN" where the FORBIDDEN command group is the ones you want to exclude... Obviously FORBIDDEN should include su, passwd, rlogin, rsh, ssh and all shells. Original question: > Gurus, > > I've looked at both RBAC and SUDO but neither one really appears to be > the answer to my problem. I have a user who was given "root" (this > was done under heavy protest but to no avail) on a Sun box (Solaris > 8-Sun Fire 280). > What I need to do is: > > 1. continue to allow this user to have root privileges > 2 not allow the user to change root's password or > 3. to be able to log onto other systems on the network as root. > > Since this is a single system, sudo would work well BUT the sudoers > file would end up being horribly long and difficult to maintain. Is > there another way of doing what is needed or perhaps someone already > has an existing sudoers file that may fit my needs? Deborah Santomauro Unix System Administrator Lockheed Martin-Enterprise Information Systems Palmdale, CA 93599 Phone: 661-572-1178 Fax: 661-572-5398 It is not death that we should fear, but we should fear never beginning to live - Marcus Aurelius \|||// (@@) __ooO_(_)_Ooo____________________ |______|_____|_|_____|_____|_____| |_____|_____|____|_____|_____|____| |_____|_____|______|_______|______| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Feb 12 10:34:04 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:26 EST