netgroups for user/host selection

Paul Smith pausmith at
Tue Dec 16 09:40:57 EST 2003

Our IS organization is interested in allowing users to have some very
restricted set of commands they can run as "root" on their own systems
(yes they're aware of the major issues inherent in this but...)

The thing is they don't want users to be able to run these commands on
other peoples' desktops, only their own.  So, we need a user,hostname
mapping in the sudoers file.  The problem is there are thousands of

So, it seems like a good solution would be a netgroup; after all a
netgroup is distributed via NIS so it's centralized and easily and
quickly updatable (unlike sudoers files which need to be pushed out to
every system).  And, it contains the perfect structure: it can represent
user/hostname pairs.  Also we already have a decent infrastructure in
place internally for managing netgroups.

However, it seems from reading the sudoers manual that sudo cannot take
advantage of this: sudoers can use a netgroup either as a list of users
_OR_ as a list of hostnames, but not as a list of explicit user/hostname

Did I miss something?  Is there a reason this is not a good idea, or is
it just that no one got around to implementing it yet?

Assuming this isn't possible is there any better way to manage this kind
of data than having to edit and push the sudoers file?  Maybe an LDAP
interface or something?  I guess that would run into the same issue?

If I missed something in the docs or FAQ please point me there: I did
search the sudoers site and with Google.

The systems we're using this on are Linux and Solaris, mostly, with some
HP-UX thrown in.  Mainly we're concerned with Linux, because most
Solaris boxes are either servers or are already configured with some


 Paul D. Smith <psmith at>   HASMAT: HA Software Mthds & Tools
 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
   These are my opinions---Nortel Networks takes no responsibility for them.

More information about the sudo-users mailing list