[sudo-users] Sudoers Web Interface

[Michael Potter]

includes would be cool.

You know what else would be cool...
specifying which sudoers file to use on the command line.

If poorly implemented that could lead to some interesting attacks, but
I think it could be implemented safely.  I don't think the attacks are
much different than includes.

For instance, there could be a restriction that the specified file
must be in the directory /etc/sudo and owned by root.

I think this would enhance security because once a set of rules is
created and tested you can be pretty sure that someone else's
additions to a different sudoers file did not have any unintended side
effects.

I would use that feature for sure.

-- 
Michael Potter

On 5/31/07, Brian Gupta <brian.gupta at gmail.com> wrote:
> One thing that I think will greatly help, is that 1.7 plans to allow
> multiple include statements in the sudoers file. (I can break up my
> sudoers file into multiple files.
>
> On 5/31/07, Edward <ed_perry at mac.com> wrote:
> > Well, my only issue is that if your doing all of your authentication
> > from ldap and you want to maintain sudoers then you should be looking
> > for a Pam Module that will do your sudo authentication too,
> >
> > Yes a flat file would be simple and like you said if it is for a hand
> > full of systems and sudoers, then the old method of VI/Emacs (AKA
> > visudoers) would work just fine. My problem is I have 4 files to
> > maintain but they have over 5000 lines of commands
> >
> > So in order to organize this all a little bit better, I took a concept
> > that I wrote in perl and put it in to this web gui.
> >
> > Agreed more thought has to go in to the use case, and cleanup of the
> > install process, but in the end you will still need to install  tomcat
> > and maybe a database/ldap.
> >
> >
> > Eric S. Johansson wrote:
> > > Brian Gupta wrote:
> > >>> LDAP should not be that hard to implement, though I have never used it.
> > >>> I'll have to add this as the research to do list. Though that probably
> > >>> would be a great solution cause I would not have to build a screen to
> > >>> populate the data just export it from an existing DB and let the admin
> > >>> add it though his normal Ldap screen.
> > >>
> > >> I ask because many people keep their sudo data in LDAP.
> > >
> > > Brian makes a very good point.  LDAP seems to be the repository of
> > > choice for authentication information.  we may have two or three usage
> > > cases here depending on what number of users makes it worthwhile to
> > > switch to LDAP.  a small number of users on a single system should be
> > > a flat file.  A medium number (30-100) a stand-alone database, by the
> > > same as you get to shared authentication data across multiple machines
> > > or any other condition requiring the use of an LDAP backend, then you
> > > want to go LDAP.
> > >
> > > The big challenge for small to medium size is is the install time.  If
> > > it takes me more than 15 minutes to install and I've got a single
> > > machine with a  limited  number of users (i.e. under 50), then doing
> > > it the old-fashioned way is easier.
> > >
> > > Personally, I think that any application that takes longer than 15-30
> > > minutes to install and get the basic configuration right is not
> > > packaged correctly.  Heck, getting NaturallySpeaking working halfway
> > > right takes 20 minutes with training and that's a very complex
> > > application.  on the other hand, I do use Emacs and no matter how many
> > > years you use it, the configuration is never completely right.  you
> > > just tolerate how far you've gotten so far. :-)
> > >
> > > ---eric
> > >
> > >
> >
> >
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>