-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME-sudo
20 lines (17 loc) · 902 Bytes
/
README-sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
README for sudo configuration
Programs newpolicy.pl and approve.pl write files to directories
netspocdir, statusdir and historydir.
If these programs are called by different users,
each user would need to have write access to these directories.
For accountablity reasons, files written to these dirtectories
must not be changeable by an individual user.
We use "sudo" to restrict access to these directories by only those two programs.
To achieve this,
- Create a dedicated user <X>, which owns netspocdir, statusdir and historydir.
- Add this user to /usr/local/etc/netspoc-approve as
systemuser = <X>
- A wrapper script "sudo-newpolicy" calls "sudo -u <X> newpolicy.pl".
- A wrapper script "diamonds" calls "sudo -u <X> do-approve".
- Add two entries to your /etc/sudoers file:
ALL ALL = (<X>) NOPASSWD : /usr/local/bin/newpolicy.pl
ALL ALL = (<X>) NOPASSWD : /usr/local/bin/do-appove