[sudo-users] 'include' files in /etc/sudoers?

Steden Klaus Klaus.Steden at thomson.net
Fri Sep 7 23:32:18 EDT 2007


Hello everyone,

I'm working on a project that makes use of sudo to swap user credentials efficiently; it's a grid application built around Sun Grid Engine that submits jobs on behalf of users (but has to switch to the submitting user when adding jobs).

We're working on making the software more portable, and sudo is a big component of making it work smoothly.

However, user environments in the real world often have their own /etc/sudoers, often highly-customized for their operational needs.

So the question I'm wrangling right now is how to effectively incorporate our sudoers requirements into a new environment where there's no guarantee that the local sudoers files looks like something that can be merged with via 'patch' or will even necessarily exist.

An idea that I've been kicking around and I'm wondering if it has legs is if sudo would support an 'include' directive, the way /etc/ld.so.conf allows /sbin/ldconfig to reference additional files or directories with ldconfig information in them, i.e.

In a file called '/etc/sudoers.d/foo.sudoers'
-- cut --
Cmnd_Alias FOO = /path/to/my/prog/foo

%users ALL=(ALL) NOPASSWD:FOO
-- cut --

In the file '/etc/sudoers'
-- cut --
[...]
Include_Path = /etc/sudoers.d
[...]
-- cut --

where 'Include_Path' would be a comma-separated list of directories to search for additional sudoers directive files.

or

Different functionality, also in '/etc/sudoers'
-- cut --
[...]
Include_File = /etc/sudoers.d/foo.sudoers
[...]
-- cut --

where 'Include_File' would be a comma-separated list of files to read when opening /etc/sudoers.


Obviously, the same restrictions on permissions and ownership, and editing with 'visudo' would apply to these files as apply to /etc/sudoers, but ... does something like this exist? Would it be a massive violation of software integrity or common sense to implement it?

cheers,
Klaus




More information about the sudo-users mailing list