placing sudoers in NFS mounted directory
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Thu May 31 23:18:21 EDT 2001
> From: Craig Cowen <craig at allmaui.com>
> Subject: Re: placing sudoers in NFS mounted directory
> To: "Todd C. Miller" <Todd.Miller at courtesan.com>
> Cc: "Guthzeit, Max (OTS-EDH)" <max_guthzeit at billing.com>,
> "'sudo-users at courtesan.com'" <sudo-users at courtesan.com>
> I would point out that you are creating a domino effect in that if you loose nfs
> you loose a lot.
> We use ssh and script it from a trusted host.
> I change one file and dist it out to all the other machines.
Good point ... in our environment, if you lose "/appl/sudo",
you've also lost "/usr/local/share" ... i.e. basically every "common"
application and/or symlink to it ... so you are in a world of
hurt as a user anyway ... but a Sysadmin *can* do an "su root"
if they need to fix things in a pinch ... although typically
the root case is either server issue (so you login to that,
where sudo *IS* local) or network (not much you can do about
that until it comes back).
So in actual practice, the "need" for sudo on an NFS mounted client
where you have lost the mount point and/or NFS is actually pretty rare
where it would be needed to "really" make a difference.
Just my experience - your mileage may vary ...
P.S. This is not to say that a more robust environment would not
be rdist/rsync'ing it to **EVERY** machine ... but there's a tradeoff
between sending to dozens of machines versus hundreds ... and while
the sudo distribution changes rarely, the sudoers file is probably
updated (we've got a couple of hundred entries in there).
More information about the sudo-users