[sudo-users] Less security with sudo+ldap?

Glenn Pitcher Glenn.Pitcher at MedImpact.com
Wed Oct 5 12:46:59 EDT 2005

I'm having some problems trying to figure out how to get the same level of
security with sudo+ldap that we currently enjoy by using a local sudoers
Take for instance the following example:
%ldapgroup ALL=(nobody) NOPASSWD:ALL
%ldapgroup ALL=(webservd) NOPASSWD:ALL
%ldapgroup ALL=(root) NOPASSWD:/usr/local/etc/script1.sh,
If I put this into LDAP, you get:
dn: cn=%ldapgroup,dc=sudoers,dc=domain,dc=com
objectClass: top
objectClass: sudoRole
cn: %ldapgroup
sudoUser: %ldapgroup
sudoRunAs: nobody
sudoRunAs: webservd
sudoRunAs: root
sudoCommand: ALL
sudoCommand: /usr/local/etc/script1.sh
sudoCommand: /usr/local/etc/script2.sh
sudoHost: ALL
sudoOption: !authenticate
Now, if a user does a 'sudo -l', they'll get back:
User <username> may run the following commands on this host:
    (nobody) NOPASSWD: ALL
    (webservd) NOPASSWD: ALL
    (root) NOPASSWD: /usr/local/etc/script1.sh
    (root) NOPASSWD: /usr/local/etc/script2.sh

LDAP Role: %ldapgroup
  RunAs: (nobody, webservd, root)
As you can see, the LDAP solution provides for less security than what was
specified in the local sudoers file.  For example, in the local sudoers
file, the user could only run 2 scripts as root.  With LDAP, they can do
anything as root.  Is there anyway of tightening this down further?
Glenn Pitcher
IT Security
MedImpact Healthcare Systems
San Diego, CA
glenn.pitcher @ medimpact.com

This transmission, together with any attachments, is intended only for the use of those to whom it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law.  If you are not the intended recipient, you are hereby notified that any distribution or copying of this transmission is strictly prohibited.  If you received this transmission in error, please notify the original sender immediately and delete this message, along with any attachments, from your computer.

More information about the sudo-users mailing list