[sudo-users] include hostname in file

Vahid Moghaddasi vahid.moghaddasi at gmail.com
Wed Jan 21 09:57:47 EST 2009 

Thanks Russel for the reply, I added line number to your post, could
you please let me know which line(s) would be similar to what I have
in mind.
Just some background, we have thousands of servers with sudoers list
but some SA's have changed the local sudoers file hence can not be
synchronized.
I would want the SA to include any change into a separate file e.g.
/etc/`hostname`.sudoers
and include it from the /etc/sudoers file so we can have one
/etc/sudoers file across the servers.
Thanks again.

1  -- begin
2  #
3  # sudoers file.
4  #
5  #-----------------------------------------------------------------------
6  # Host alias specification
7  #
8
9  Host_Alias      RFC1918_10_8   = 10.0.0.0/255.0.0.0
    10  Host_Alias      RFC1918_172_12 = 172.16.0.0/255.240.0.0
    11  Host_Alias      RFC1918_192_16 = 192.168.0.0/255.255.0.0
    12
    13  #
    14  #-----------------------------------------------------------------------
    15  # User alias specification
    16  #
    17
    18  User_Alias      ROOT      = admin
    19  User_Alias      WEBMASTER = %www
    20  User_Alias      ADMIN     = user1, user2
    21
    22  #
    23  #-----------------------------------------------------------------------
    24  # Cmnd alias specification
    25  #
    26
    27  # Things we can use to get new shells
    28  Cmnd_Alias SU         = /usr/bin/su, /sbin/su
    29  Cmnd_Alias SHELLS     = /bin/sh,  /usr/bin/sh,  /sbin/sh, \
    30                         /bin/csh, /usr/bin/csh, \
    31                         /bin/jsh, /usr/bin/jsh, /sbin/jsh, \
    32                         /bin/ksh, /usr/bin/ksh
    33
    34  # Remote/removeable file systems...
    35  Cmnd_Alias MOUNT      = /sbin/mount, /usr/sbin/mount
    36  Cmnd_Alias UMOUNT     = /sbin/umount, /usr/sbin/umount
    37  Cmnd_Alias DISKS      = MOUNT, UMOUNT
    38
    39  # Filesystem Permissions
    40  Cmnd_Alias CHGRP      = /usr/bin/chgrp
    41  Cmnd_Alias CHMOD      = /usr/bin/chmod
    42  Cmnd_Alias CHOWN      = /usr/bin/chown
    43  Cmnd_Alias CP         = /usr/bin/cp
    44  Cmnd_Alias GZIP       = /usr/local/bin/gzip, /usr/local/bin/gunzip
    45  Cmnd_Alias LN         = /usr/bin/ln
    46  Cmnd_Alias MV         = /usr/bin/mv
    47  Cmnd_Alias RM         = /usr/bin/rm
    48  Cmnd_Alias FILE_OPS   = CHGRP, CHMOD, CHOWN, CP, LN, MV, RM, GZIP
    49
    50  # Process commands
    51  Cmnd_Alias PSTACK     = /usr/proc/bin/pstack
    52  Cmnd_Alias KILL       = /usr/bin/kill
    53  Cmnd_Alias PS_OPS     = PSTACK, KILL
    54
    55  # Traffic sniffing
    56  Cmnd_Alias SNOOP      = /usr/sbin/snoop
    57  Cmnd_Alias TCPDUMP    = /usr/local/sbin/tcpdump
    58  Cmnd_Alias SNIFF      = SNOOP, TCPDUMP
    59
    60  # Web server commands
    61  Cmnd_Alias HTTPD_INIT = /etc/init.d/apache*, /etc/init.d/httpd*
    62
    63  #
    64  #-----------------------------------------------------------------------
    65  # Defaults Specification
    66  #
    67
    68  # Flags
    69  Defaults           mail_always
    70  Defaults           tty_tickets
    71  Defaults           log_host
    72  Defaults           log_year
    73  Defaults          !shell_noargs
    74  Defaults           fqdn            # Requires DNS and may break because
of it
    75  Defaults           insults
    76
    77  # Integers
    78  Defaults           passwd_tries=3
    79  Defaults           timestamp_timeout=5
    80  Defaults           passwd_timeout=5
    81  Defaults           umask=0022
    82
    83  # Strings
    84  Defaults                mailsub="*** SECURITY info on %h ***"
    85  Defaults at RFC1918_10_8   mailsub="*** SECURITY info on 10.0.0.0/8-%h ***"
    86  Defaults at RFC1918_172_12 mailsub="*** SECURITY info on 172.16.0.0/12-%h *
**"
    87  Defaults at RFC1918_192_16 mailsub="*** SECURITY info on 192.168.0.0/16-%h
***"
    88
    89  Defaults           timestampdir=/tmp/.odus
    90  Defaults           timestampowner=root
    91  Defaults           runas_default=root
    92  Defaults           syslog_goodpri=notice
    93  Defaults           syslog_badpri=alert
    94
    95  # *** This really needs to be changed to a "secure" editor ***
    96  Defaults           editor=/usr/bin/vi
    97
    98  # Strings that can act in boolean context...
    99  Defaults           mailto="root at mydomain.com"
   100  Defaults           mailerflags="-o db -t"
   101  Defaults           verifypw=all
   102  Defaults           listpw=any
   103
   104  #
   105  #-----------------------------------------------------------------------
   106  # User privilege specification
   107  #
   108
   109  ROOT      ALL = (ALL) ALL
   110  ADMIN     ALL = (ALL) !SHELLS, !SU, FILE_OPS, PS_OPS, DISKS, SNIFF
   111
   112  WEBMASTER RFC1918_192_16 = (ALL) HTTPD_INIT
   113
   114  #
   115  #-----------------------------------------------------------------------
   116  -- end


On Tue, Jan 20, 2009 at 9:29 PM, Russell Van Tassell
<russell+sudo-users at loosenut.com> >
> Why don't you just integrate the hostnames in to the configuration in a
> meaningful way?  Sudo already has syntax provisions for exactly that...
>
> Here's one semi-basic example...  apologies for the length -- I just
> swiped it from an old template from a while back.
>
>

More information about the sudo-users mailing list