[sudo-users] New SUDO Schema Expantion
Todd C. Miller
Todd.Miller at courtesan.com
Mon Jan 31 10:45:14 EST 2011
On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:
> That is to say, you still need to have a complete Sudo rule full
> of permits and denies, and the addition of sudoOrder does not change
> that. It only allows you to supersede 1 complete rule object for
> another rule object.
>
> That is a lot different than having some allow rule objects and
> some deny rule objects which are all meant to overlap and provide
> granular controls via multiple rule objects.
That is certainly the intent, though now that you can specify
ordering there is nothing to stop you from making the rules more
granular, other than the pain of maintaining lots of extra rule
objects.
- todd
More information about the sudo-users
mailing list