netgroups for user/host selection

Aaron Spangler aaron at
Tue Dec 16 23:52:44 EST 2003


If all you are doing is providing a list of users in a netgroup access to a 
list of hosts (possibly also by netgroup), than that is an easy one.  Its 
sort of like .rhost entries of hostname,username or repacing + at netgroup for 
either the hostname or the username (or both).

However it creates a matrix of these 30 people in the netgroup can login to 
these 40 workstations in the other netgroup.  Is this what you want?

If what you are doing is one-to-one mapping for one user to one desktop, then 
another way to do it is to simply have one line for each user /host 
combination.  The big problem becomes administering the /etc/sudoers file on 
lots of boxes.  However a small shell script to 'scp' it to all the 
workstations should do the trick.

A third alternative that we are using in our organization is to use an 
experimental LDAP feature of sudo that allows storing the /etc/sudoers 
contents into an LDAP server such as OpenLDAP, iPlanet, Microsoft Active 
Directory, or Novel NDS.  If you are interested in this, the code will be 
released sometime in the future, for right now, the code is still 
experimental, but you can pull it out from the sudo cvs server via cvs.

Example on how to get the source:

cvs -d :pserver:anoncvs at login
(use 'anoncvs' as password)
Then do this to get the code.
cvs -d :pserver:anoncvs at get -r LDAP sudo

Then look at 'README.LDAP'


On Tuesday 16 December 2003 09:40 am, Paul Smith wrote:
> Our IS organization is interested in allowing users to have some very
> restricted set of commands they can run as "root" on their own systems
> (yes they're aware of the major issues inherent in this but...)
> The thing is they don't want users to be able to run these commands on
> other peoples' desktops, only their own.  So, we need a user,hostname
> mapping in the sudoers file.  The problem is there are thousands of
> users.
> So, it seems like a good solution would be a netgroup; after all a
> netgroup is distributed via NIS so it's centralized and easily and
> quickly updatable (unlike sudoers files which need to be pushed out to
> every system).  And, it contains the perfect structure: it can represent
> user/hostname pairs.  Also we already have a decent infrastructure in
> place internally for managing netgroups.
> However, it seems from reading the sudoers manual that sudo cannot take
> advantage of this: sudoers can use a netgroup either as a list of users
> _OR_ as a list of hostnames, but not as a list of explicit user/hostname
> pairs.
> Did I miss something?  Is there a reason this is not a good idea, or is
> it just that no one got around to implementing it yet?
> Assuming this isn't possible is there any better way to manage this kind
> of data than having to edit and push the sudoers file?  Maybe an LDAP
> interface or something?  I guess that would run into the same issue?
> If I missed something in the docs or FAQ please point me there: I did
> search the sudoers site and with Google.
> The systems we're using this on are Linux and Solaris, mostly, with some
> HP-UX thrown in.  Mainly we're concerned with Linux, because most
> Solaris boxes are either servers or are already configured with some
> solution.
> Thanks!

More information about the sudo-users mailing list