christopher.sheldon at agile.com
Mon Jan 27 13:48:14 EST 2003
What about a runtime directive similar to Solaris's (and other's)
nsswitch.conf(4) file? The sudoers file could have a directive that
tells it if it needs to check ldap only, local file only or both and
which order has precedence:
sudo-auth: ldap files
or something similar. Does this inherently compromise security
besides that local write access to the file permits a root user to
remove LDAP from the authentication scheme?
What about having this information stored in the LDAP server
and if the binary is compiled "--with-ldap", then it looks to the
LDAP server for the (what would you call that?) sudoers file
switch information? This would still permit control of precedence,
but place it in a more secure location.
Aaron Spangler wrote:
> I am almost finished with my LDAP backend to SUDO. It replaces the
> parsing files. I wanted to get some feedback from the community to
> collaborate if people are already doing something similar so that the
> schemas would be compatable.
> I am thinking about two compile time directives.
> The first includes LDAP plus the local /etc/sudoers file. (Sort of
> /etc/passwd + NIS passwd) The only problem with this option is that
> then you have to audit both a local configuration file and an LDAP
> in order to verify that people haven't been given unauthorized access.
> Although this would be the nicest since one build could work in both
> standalone or LDAP or hybrid environments. (so if permission was
> granted from either, you would have access).
> The second mode disables the local mode. I have played around with
> even including any of the parsing files (lex.yy.c, parse.c,
> etc). We had one problem where the sudoers file was on a NFS share,
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
> (Yes, - I know remote mounted sudoers is bad, but when you got several
> hundered machines - how else do you sync them up?) So in this mode,
> there is NO LOCAL file. Currently I am compiling the LDAP server URL
> to the binary. Maybe we could read /etc/ldap.conf so that it would be
> compatable with pam_ldap or nss_ldap that would be running on the same
> system. Currently the pam_ldap code parser is under the GPL instead
> the BSD-Style license, but I might have some code that I can contribue
> that would do essentially the same parsing.
> Thoughts? Ideas? Please reply to the group.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the sudo-users