netgroups for user/host selection

Paul Smith pausmith at
Wed Dec 17 08:09:17 EST 2003

Thanks for the note!

%% Aaron Spangler <aaron at> writes:

  as> However it creates a matrix of these 30 people in the netgroup can
  as> login to these 40 workstations in the other netgroup.  Is this
  as> what you want?

Correct, it creates a matrix, and no, that's not what I want.

  as> If what you are doing is one-to-one mapping for one user to one
  as> desktop,


  as> then another way to do it is to simply have one line for each user
  as> /host combination.  The big problem becomes administering the
  as> /etc/sudoers file on lots of boxes.

Yes, exactly.

  as> However a small shell script to 'scp' it to all the workstations
  as> should do the trick.

Well, that's a lot of infrastructure we don't have right now, to get ssh
for root set up everywhere, etc.  Plus it requires an active push to
every host each time the file changes.

NIS is the infrastructure we have in place to manage this kind of thing,
it handles this kind of environment very well, and netgroups _CAN_ hold
this information, except that sudo doesn't appear to provide for it.

A netgroup entry is already a host/user pair, it's just that the sudoers
file doesn't accept it in that way.  For example you can do something

  +my_netgroup +my_netgroup = MY_COMMANDS

which gives the above-mentioned matrix.  But why can't something like
this syntax:

  +my_netgroup = MY_COMMANDS

which is not ambiguous as far as I can see, be understood to take the
contents of my_netgroup as a set of specific host<->user pairs?

I don't care about the exact syntax of course.

I'm just wondering if there's some issue with this that I'm not seeing,
aside from the obvious (that no one's implemented it yet :)).

  as> A third alternative that we are using in our organization is to
  as> use an experimental LDAP feature of sudo that allows storing the
  as> /etc/sudoers contents into an LDAP server such as OpenLDAP,
  as> iPlanet, Microsoft Active Directory, or Novel NDS.  If you are
  as> interested in this, the code will be released sometime in the
  as> future, for right now, the code is still experimental, but you can
  as> pull it out from the sudo cvs server via cvs.

  as> Example on how to get the source:

  as> cvs -d :pserver:anoncvs at login
  as> (use 'anoncvs' as password)
  as> Then do this to get the code.
  as> cvs -d :pserver:anoncvs at get -r LDAP sudo

  as> Then look at 'README.LDAP'

Thanks, I might look into this.  We do already have LDAP servers
deployed so this is a possibility.

 Paul D. Smith <psmith at>   HASMAT: HA Software Mthds & Tools
 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
   These are my opinions---Nortel Networks takes no responsibility for them.

More information about the sudo-users mailing list