[sudo-users] include hostname in file
Russell Van Tassell
russell+sudo-users at loosenut.com
Tue Jan 20 21:29:48 EST 2009
On Tue, Jan 20, 2009 at 08:47:34PM -0500, Vahid Moghaddasi wrote:
> Hi all,
> I am trying to include a sudoers file which contains the local
> hostname. For example:
> #include /etc/%h.sudoers
> Of course the above directive does not work but you get the idea.
> I need to do this to have one master file and one server specific files as well.
> Is there a way to do this?
> Thanks,
Why don't you just integrate the hostnames in to the configuration in a
meaningful way? Sudo already has syntax provisions for exactly that...
Here's one semi-basic example... apologies for the length -- I just
swiped it from an old template from a while back.
-- begin
#
# sudoers file.
#
#-----------------------------------------------------------------------
# Host alias specification
#
Host_Alias RFC1918_10_8 = 10.0.0.0/255.0.0.0
Host_Alias RFC1918_172_12 = 172.16.0.0/255.240.0.0
Host_Alias RFC1918_192_16 = 192.168.0.0/255.255.0.0
#
#-----------------------------------------------------------------------
# User alias specification
#
User_Alias ROOT = admin
User_Alias WEBMASTER = %www
User_Alias ADMIN = user1, user2
#
#-----------------------------------------------------------------------
# Cmnd alias specification
#
# Things we can use to get new shells
Cmnd_Alias SU = /usr/bin/su, /sbin/su
Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /sbin/sh, \
/bin/csh, /usr/bin/csh, \
/bin/jsh, /usr/bin/jsh, /sbin/jsh, \
/bin/ksh, /usr/bin/ksh
# Remote/removeable file systems...
Cmnd_Alias MOUNT = /sbin/mount, /usr/sbin/mount
Cmnd_Alias UMOUNT = /sbin/umount, /usr/sbin/umount
Cmnd_Alias DISKS = MOUNT, UMOUNT
# Filesystem Permissions
Cmnd_Alias CHGRP = /usr/bin/chgrp
Cmnd_Alias CHMOD = /usr/bin/chmod
Cmnd_Alias CHOWN = /usr/bin/chown
Cmnd_Alias CP = /usr/bin/cp
Cmnd_Alias GZIP = /usr/local/bin/gzip, /usr/local/bin/gunzip
Cmnd_Alias LN = /usr/bin/ln
Cmnd_Alias MV = /usr/bin/mv
Cmnd_Alias RM = /usr/bin/rm
Cmnd_Alias FILE_OPS = CHGRP, CHMOD, CHOWN, CP, LN, MV, RM, GZIP
# Process commands
Cmnd_Alias PSTACK = /usr/proc/bin/pstack
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PS_OPS = PSTACK, KILL
# Traffic sniffing
Cmnd_Alias SNOOP = /usr/sbin/snoop
Cmnd_Alias TCPDUMP = /usr/local/sbin/tcpdump
Cmnd_Alias SNIFF = SNOOP, TCPDUMP
# Web server commands
Cmnd_Alias HTTPD_INIT = /etc/init.d/apache*, /etc/init.d/httpd*
#
#-----------------------------------------------------------------------
# Defaults Specification
#
# Flags
Defaults mail_always
Defaults tty_tickets
Defaults log_host
Defaults log_year
Defaults !shell_noargs
Defaults fqdn # Requires DNS and may break because of it
Defaults insults
# Integers
Defaults passwd_tries=3
Defaults timestamp_timeout=5
Defaults passwd_timeout=5
Defaults umask=0022
# Strings
Defaults mailsub="*** SECURITY info on %h ***"
Defaults at RFC1918_10_8 mailsub="*** SECURITY info on 10.0.0.0/8-%h ***"
Defaults at RFC1918_172_12 mailsub="*** SECURITY info on 172.16.0.0/12-%h ***"
Defaults at RFC1918_192_16 mailsub="*** SECURITY info on 192.168.0.0/16-%h ***"
Defaults timestampdir=/tmp/.odus
Defaults timestampowner=root
Defaults runas_default=root
Defaults syslog_goodpri=notice
Defaults syslog_badpri=alert
# *** This really needs to be changed to a "secure" editor ***
Defaults editor=/usr/bin/vi
# Strings that can act in boolean context...
Defaults mailto="root at mydomain.com"
Defaults mailerflags="-o db -t"
Defaults verifypw=all
Defaults listpw=any
#
#-----------------------------------------------------------------------
# User privilege specification
#
ROOT ALL = (ALL) ALL
ADMIN ALL = (ALL) !SHELLS, !SU, FILE_OPS, PS_OPS, DISKS, SNIFF
WEBMASTER RFC1918_192_16 = (ALL) HTTPD_INIT
#
#-----------------------------------------------------------------------
-- end
--
Russell M. Van Tassell
russell at loosenut.com
"Just cause you got the monkey off your back doesn't mean the circus has
left town." -- George Carlin
More information about the sudo-users
mailing list