Implementing LDAP

Alek O. Komarnitsky (N-CSC) alek at ast.lmco.com
Sat Jan 25 13:45:03 EST 2003


> From sudo-users-bounces at sudo.ws Sat Jan 25 11:36 MST 2003
> From: Aaron Spangler <as at insight.rr.com>
> 
> We had one problem where the sudoers file was on a NFS share, and
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
> (Yes, - I know remote mounted sudoers is bad, but when you got several
> hundered machines - how else do you sync them up?)  

I disagree that "remote mounted sudoers is bad" ... 

The NFS File Server should be exporting the sudoers file READ-ONLY
to the clients. So only folks with sudo/root access on the file server
itself can modify the sudoers file. And we actually have a SINGLE
sudoers file on ONE host that is rdisted out to those file-servers.

So if you don't "fully trust" a particular person/admin, then don't
give them access on either the file servers or the "master" server.
If you DID give them access, or at least enough to modify sudoers,
then you have inherently trusted them with the keys to the kingdom.
And if they did something against policy, then that is a non-technical 
problem and not a "fault" with sudo itself or remote mounting.

My two cents,
alek


More information about the sudo-users mailing list