netgroups for user/host selection
aaron at spangler.ods.org
Tue Dec 16 23:52:44 EST 2003
If all you are doing is providing a list of users in a netgroup access to a
list of hosts (possibly also by netgroup), than that is an easy one. Its
sort of like .rhost entries of hostname,username or repacing + at netgroup for
either the hostname or the username (or both).
However it creates a matrix of these 30 people in the netgroup can login to
these 40 workstations in the other netgroup. Is this what you want?
If what you are doing is one-to-one mapping for one user to one desktop, then
another way to do it is to simply have one line for each user /host
combination. The big problem becomes administering the /etc/sudoers file on
lots of boxes. However a small shell script to 'scp' it to all the
workstations should do the trick.
A third alternative that we are using in our organization is to use an
experimental LDAP feature of sudo that allows storing the /etc/sudoers
contents into an LDAP server such as OpenLDAP, iPlanet, Microsoft Active
Directory, or Novel NDS. If you are interested in this, the code will be
released sometime in the future, for right now, the code is still
experimental, but you can pull it out from the sudo cvs server via cvs.
Example on how to get the source:
cvs -d :pserver:anoncvs at anoncvs.sudo.ws:/cvs login
(use 'anoncvs' as password)
Then do this to get the code.
cvs -d :pserver:anoncvs at anoncvs.sudo.ws:/cvs get -r LDAP sudo
Then look at 'README.LDAP'
On Tuesday 16 December 2003 09:40 am, Paul Smith wrote:
> Our IS organization is interested in allowing users to have some very
> restricted set of commands they can run as "root" on their own systems
> (yes they're aware of the major issues inherent in this but...)
> The thing is they don't want users to be able to run these commands on
> other peoples' desktops, only their own. So, we need a user,hostname
> mapping in the sudoers file. The problem is there are thousands of
> So, it seems like a good solution would be a netgroup; after all a
> netgroup is distributed via NIS so it's centralized and easily and
> quickly updatable (unlike sudoers files which need to be pushed out to
> every system). And, it contains the perfect structure: it can represent
> user/hostname pairs. Also we already have a decent infrastructure in
> place internally for managing netgroups.
> However, it seems from reading the sudoers manual that sudo cannot take
> advantage of this: sudoers can use a netgroup either as a list of users
> _OR_ as a list of hostnames, but not as a list of explicit user/hostname
> Did I miss something? Is there a reason this is not a good idea, or is
> it just that no one got around to implementing it yet?
> Assuming this isn't possible is there any better way to manage this kind
> of data than having to edit and push the sudoers file? Maybe an LDAP
> interface or something? I guess that would run into the same issue?
> If I missed something in the docs or FAQ please point me there: I did
> search the sudoers site and with Google.
> The systems we're using this on are Linux and Solaris, mostly, with some
> HP-UX thrown in. Mainly we're concerned with Linux, because most
> Solaris boxes are either servers or are already configured with some
More information about the sudo-users