[sudo-users] Re: share a sudoers file

Mark F mfaine at knology.net
Tue Nov 22 12:52:43 EST 2005


DietrichT at schneider.com wrote:
> We also manage our sudoers file in the same manner that Russel described
> below.   We have one master copy, and then we use a cron script to scp the
> master file to all of our other servers.
> 
> Thanks,
> Tim
> --------------------------------------------------
> Tim Dietrich
> Information Security Team
> Schneider National, Inc.
> 
> 
> 
>                                                                            
>              Russell Van                                                   
>              Tassell                                                       
>              <russell+sudo-use                                          To 
>              rs at loosenut.com>          Mark F <mfaine at knology.net>         
>              Sent by:                                                   cc 
>              sudo-users-bounce         sudo-users at sudo.ws                  
>              s at courtesan.com                                       Subject 
>                                        Re: [sudo-users] share a sudoers    
>                                        file                                
>              11/22/2005 11:21                                              
>              AM                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
> 
> 
> 
> 
> On Mon, Nov 21, 2005 at 03:15:20PM -0600, Mark F wrote:
> 
>>I'd like to share a sudoers file on a smb share amongst several Linux
>>boxes.  I thought to put it by itself in the share and set a symlink,
>>/etc/sudoers to point to /my/shared/directory/sudoers but visudo
>>overwrites the symlink?  How is this normally done?
>>
>>Thanks,
>>-Mark
> 
> 
> Well, it can be done, but what happens if the SMB share is unavailable?
> Myself, I have one "master" system that has a local copy of the sudoers
> files in it's default place (you can compile it to go elsewhere, too, if
> you're so inclined) then use a distribution mechanism to send out local
> copies to all machines that need one.  You only need "visudo" to manage
> the lock and manage the "safety" and syntax of the file (ie. good
> practice in a place where you have multiple admins making modifications
> to systems).  Hope that helps...
> 
> Russell
> 
> --
> Russell M. Van Tassell
> russell at loosenut.com
> 
> "I do not fear love but I fear what comes next.  I fear when it does not
>  come at all.  I fear the extreme and the feeling of loss."
>                                                       - Douglas Coupland
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 
> 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 
SCP doesn't sound like a good option to me as every server I'd be 
copying it too would have a different password (all of which ) I'd have 
to hard code into a file. It would have to be the root password as well. 
  Those passwords change every month so then I'd have to remember to 
update the file.  Sounds like a big security hole and a lot of hassle.

I'm thinking about aliasing visudo to a script that run's visudo and 
then scps the new sudoers file to each server, requesting a password for 
each.  Means I can't cron job it, but I'd sleep better at night.

Thanks,
-Mark




More information about the sudo-users mailing list