[sudo-users] 'include' files in /etc/sudoers?

Steden Klaus Klaus.Steden at thomson.net
Sat Sep 8 00:43:43 EDT 2007 

Brilliant! Best thing I've read all day. :-)

Klaus

-----Original Message-----
From:	brian.gupta at gmail.com on behalf of Brandorr
Sent:	Fri 9/7/2007 9:06 PM
To:	Steden Klaus
Cc:	sudo-users at sudo.ws
Subject:	Re: [sudo-users] 'include' files in /etc/sudoers?

Your timing is serendipitous.  Less than 24 hours ago Todd cut 1.7a1
(alpha), which happens to support include directives.

Cheers,
Brian

On 9/7/07, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
> Download links:
>     http://www.sudo.ws/sudo/dist/beta/sudo-1.7a1.tar.gz
>     ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7a1.tar.gz

>  * Sudoers now supports a #include facility to allow the inclusion of other
>    sudoers-format files.

On 9/7/07, Steden Klaus <Klaus.Steden at thomson.net> wrote:
>
> Hello everyone,
>
> I'm working on a project that makes use of sudo to swap user credentials efficiently; it's a grid application built around Sun Grid Engine that submits jobs on behalf of users (but has to switch to the submitting user when adding jobs).
>
> We're working on making the software more portable, and sudo is a big component of making it work smoothly.
>
> However, user environments in the real world often have their own /etc/sudoers, often highly-customized for their operational needs.
>
> So the question I'm wrangling right now is how to effectively incorporate our sudoers requirements into a new environment where there's no guarantee that the local sudoers files looks like something that can be merged with via 'patch' or will even necessarily exist.
>
> An idea that I've been kicking around and I'm wondering if it has legs is if sudo would support an 'include' directive, the way /etc/ld.so.conf allows /sbin/ldconfig to reference additional files or directories with ldconfig information in them, i.e.
>
> In a file called '/etc/sudoers.d/foo.sudoers'
> -- cut --
> Cmnd_Alias FOO = /path/to/my/prog/foo
>
> %users ALL=(ALL) NOPASSWD:FOO
> -- cut --
>
> In the file '/etc/sudoers'
> -- cut --
> [...]
> Include_Path = /etc/sudoers.d
> [...]
> -- cut --
>
> where 'Include_Path' would be a comma-separated list of directories to search for additional sudoers directive files.
>
> or
>
> Different functionality, also in '/etc/sudoers'
> -- cut --
> [...]
> Include_File = /etc/sudoers.d/foo.sudoers
> [...]
> -- cut --
>
> where 'Include_File' would be a comma-separated list of files to read when opening /etc/sudoers.
>
>
> Obviously, the same restrictions on permissions and ownership, and editing with 'visudo' would apply to these files as apply to /etc/sudoers, but ... does something like this exist? Would it be a massive violation of software integrity or common sense to implement it?
>
> cheers,
> Klaus
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>


-- 
- Brian Gupta

http://opensolaris.org/os/project/nycosug/

More information about the sudo-users mailing list