[debian-lan-devel] a ubuntuish gnome with an ACL to allow specific users to install stuff
Julien Lambot
jlambot at gmail.com
Fri Sep 27 09:00:09 UTC 2013
On Fri, Sep 27, 2013 at 8:48 AM, Andreas B. Mundt <andi.mundt at web.de> wrote:
> Hi Julien,
>
> many thanks for sharing your modifications and improvements!
>
I'm happy to !
Just a short comment, I am not sure if it's correct:
>
> On Fri, Sep 27, 2013 at 12:00:28AM +0200, Julien Lambot wrote:
> [...]
> >
> > +dn: cn=localadminsSynaptic,ou=sudoers,ou=gosa,dc=intern
> > +objectClass: top
> > +objectClass: sudoRole
> > +sudoHost: workstation*
> > +sudoHost: diskless*
> > +sudoHost: guest*
> > +cn: localadminsSynaptic
> > +sudoRunAs: ALL
> > +description: sudo rights to install additional packages on clients
> > +sudoUser: admin
> > +sudoCommand: sudo
> ^^^^
> Doesn't this allow to run all commands in the end using sudo?
>
I checked to make sure I didn't messed up the whole thing, but it's ok. Eg.:
thome at workstation06:~$ sudo ifconfig
[sudo] password for thome:
Sorry, user thome is not allowed to execute '/sbin/ifconfig' as root on
workstation06.intern.
thome at workstation06:~$ sudo synaptic
(synaptic:5658): Gtk-WARNING **: cannot open display:
-> this works (at least from the X environment)
So, It's indeed confusing that it has to be defined in the dn, but, if I
remember correctly it was required to give access to sudo in order to run
it, and thus launch other commands.
> > +sudoCommand: /usr/sbin/synaptic
> > +sudoCommand: /usr/bin/synaptic-pkexec
> > +sudoCommand: /usr/bin/gpk-application
> > +sudoCommand: /usr/bin/gpk-update-viewer
> >
> > Well... That was one of my users requirements.
> > Comments welcome
>
> Thanks again and best regards,
>
> Andi
>
> _______________________________________________
> debian-lan-devel mailing list
> debian-lan-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel
>
Greetings.
Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130927/113c447c/attachment.html>
More information about the debian-lan-devel
mailing list