Re: [opensuse] Fine-graining Yast access
![](https://seccdn.libravatar.org/avatar/6a36ae610919ddd038b815c6d8c8d2eb.jpg?s=120&d=mm&r=g)
Hi Sergio / Hola Sergio,
as you know, you can "summon" single YaST modules directly.
For example:
yast2 sw_single -- for software management
yast2 lan -- for network configuration
etc.
Use yast2 --list for a complete list of modules available.
So, maybe you can wrap these commands on a shell script and combine these with sudo...
I haven't tried this myself so I cannot tell you whether it works or not...
My 2 cents...
Martin
----- Original Message ----
From: Instituto de Ingenieria Área de Sistemas Unix/Linux
![](https://seccdn.libravatar.org/avatar/abdee805d4df05af9a496107100c582c.jpg?s=120&d=mm&r=g)
* Martin Mielke
Hi Sergio / Hola Sergio,
as you know, you can "summon" single YaST modules directly. For example:
yast2 sw_single -- for software management yast2 lan -- for network configuration
etc.
Use yast2 --list for a complete list of modules available.
So, maybe you can wrap these commands on a shell script and combine these with sudo...
or change the group for the scripts. They reside in: /usr/share/YaST2/clients/ -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/7ac97ea47b95f79d6f0501bd93df3062.jpg?s=120&d=mm&r=g)
On Thursday 26 June 2008 00:28, Martin Mielke wrote:
as you know, you can "summon" single YaST modules directly. For example:
yast2 sw_single -- for software management yast2 lan -- for network configuration
Nice idea, but this is a huge security hazard. For example, there is the
debugging xterm you can get in the Qt version with Shift-Ctrl-Alt-X. You
don't want restricted rights admins to get access to a root shell that
easily.
As of now, there is no really reliable and secure way for this "role based
access". We have been making plans and concepts for quite some time, but even
the concept phase is far from finished now. When we do it, we want to do it
right, and not open dozens of security problems.
Please also think about all the things an admin with permission to install
software can do. Basically, he can set up his own root shell or root kit RPM,
install that one and get root access for evermore.
CU
--
Stefan Hundhammer
participants (3)
-
Martin Mielke
-
Patrick Shanahan
-
Stefan Hundhammer