[sudo-users] sudo central management

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Thu Dec 15 12:12:57 EST 2005

Our implementation of sudo uses one sudoers file that is distributed by
rsync over ssh (using Public/Private key pairs).  

We have grouped our machines, users, and applications into classes and 
use the Host_Alias and Cmnd_Alias lines to set up the groups of systems 
and applications, then setup user IDs and UNIX groups to allocate the 
low-level permissions.  It results in a fairly large and visually 
complicated sudoers file, but it is the only method I can come up with 
to manage the 50 or so UNIX servers that we control.  

Luckily, most of our applications run on limited sets of servers and 
the applications run under their own application-specific user IDs, 
so the mapping of permissions is fairly cut and dried.

The complicators are the administrative and maintenance users that have
to have extra permissions on certain servers, but not others.  This results
in more sudoers entries than I would like, but it is still manageable.

The implementation is largely based on the example sudoers files in the
sudo package, so the documentation that comes with sudo is a good starting
point for customized sudoers files.  I am looking forward to an upcoming 
implementation of LDAP within our environment to eliminate the need for 
distributing a local sudoers file (other than a fail-safe version for 
emergency use).

Best of luck and thanks to all who have contributed to making sudo such
a good product.

Donald L. (Don) Ritchey
Information Technology
Exelon Corporation

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com]On Behalf Of
Ken_Abrahamsen at mikronvinyl.com
Sent: Thursday, December 15, 2005 10:11 AM
To: Pantejo, Barbara (Citco)
Cc: 'sudo-users at sudo.ws'; sudo-users-bounces at courtesan.com
Subject: Re: [sudo-users] sudo central management

We have one sudoers configuration for all our servers, but we only have 9 
Ken Abrahamsen
Mikron Industries, Inc.
1034 6th Avenue North
Kent, WA  98032
Email: Ken_Abrahamsen at mikronvinyl.com
Voice: 253-398-1365

"Pantejo, Barbara   (Citco)" <BPantejo at citco.com>
Sent by: sudo-users-bounces at courtesan.com
12/15/2005 08:02 AM

        To:     "'sudo-users at sudo.ws'" <sudo-users at sudo.ws>
        Subject:        [sudo-users] sudo central management

Hi everyone,

I'm new to the list so wasn't sure if my question has already been
discussed, yet.

I was wondering if anyone has a way to centrally manage sudo? We have 100+
servers (various unix/linux flavors). Most, if not all, have had sudo
installed with different configurations in each sudoers files. We want a 
to organize and manage these files and wanted to get others perspectives 
to how to go about this. I started taking a look at the different sudoers
files and tried to consolidate into 1, but this is becoming a very arduous
task. Is there a better way?

Any suggestions and comments are appreciated.

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.

More information about the sudo-users mailing list