[sudo-users] Re: share a sudoers file
Mark F
mfaine at knology.net
Tue Nov 22 12:52:43 EST 2005
DietrichT at schneider.com wrote:
> We also manage our sudoers file in the same manner that Russel described
> below. We have one master copy, and then we use a cron script to scp the
> master file to all of our other servers.
>
> Thanks,
> Tim
> --------------------------------------------------
> Tim Dietrich
> Information Security Team
> Schneider National, Inc.
>
>
>
>
> Russell Van
> Tassell
> <russell+sudo-use To
> rs at loosenut.com> Mark F <mfaine at knology.net>
> Sent by: cc
> sudo-users-bounce sudo-users at sudo.ws
> s at courtesan.com Subject
> Re: [sudo-users] share a sudoers
> file
> 11/22/2005 11:21
> AM
>
>
>
>
>
>
>
>
> On Mon, Nov 21, 2005 at 03:15:20PM -0600, Mark F wrote:
>
>>I'd like to share a sudoers file on a smb share amongst several Linux
>>boxes. I thought to put it by itself in the share and set a symlink,
>>/etc/sudoers to point to /my/shared/directory/sudoers but visudo
>>overwrites the symlink? How is this normally done?
>>
>>Thanks,
>>-Mark
>
>
> Well, it can be done, but what happens if the SMB share is unavailable?
> Myself, I have one "master" system that has a local copy of the sudoers
> files in it's default place (you can compile it to go elsewhere, too, if
> you're so inclined) then use a distribution mechanism to send out local
> copies to all machines that need one. You only need "visudo" to manage
> the lock and manage the "safety" and syntax of the file (ie. good
> practice in a place where you have multiple admins making modifications
> to systems). Hope that helps...
>
> Russell
>
> --
> Russell M. Van Tassell
> russell at loosenut.com
>
> "I do not fear love but I fear what comes next. I fear when it does not
> come at all. I fear the extreme and the feeling of loss."
> - Douglas Coupland
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
SCP doesn't sound like a good option to me as every server I'd be
copying it too would have a different password (all of which ) I'd have
to hard code into a file. It would have to be the root password as well.
Those passwords change every month so then I'd have to remember to
update the file. Sounds like a big security hole and a lot of hassle.
I'm thinking about aliasing visudo to a script that run's visudo and
then scps the new sudoers file to each server, requesting a password for
each. Means I can't cron job it, but I'd sleep better at night.
Thanks,
-Mark
More information about the sudo-users
mailing list