[sudo-users] include hostname in file
Vahid Moghaddasi
vahid.moghaddasi at gmail.com
Wed Jan 21 09:57:47 EST 2009
Thanks Russel for the reply, I added line number to your post, could
you please let me know which line(s) would be similar to what I have
in mind.
Just some background, we have thousands of servers with sudoers list
but some SA's have changed the local sudoers file hence can not be
synchronized.
I would want the SA to include any change into a separate file e.g.
/etc/`hostname`.sudoers
and include it from the /etc/sudoers file so we can have one
/etc/sudoers file across the servers.
Thanks again.
1 -- begin
2 #
3 # sudoers file.
4 #
5 #-----------------------------------------------------------------------
6 # Host alias specification
7 #
8
9 Host_Alias RFC1918_10_8 = 10.0.0.0/255.0.0.0
10 Host_Alias RFC1918_172_12 = 172.16.0.0/255.240.0.0
11 Host_Alias RFC1918_192_16 = 192.168.0.0/255.255.0.0
12
13 #
14 #-----------------------------------------------------------------------
15 # User alias specification
16 #
17
18 User_Alias ROOT = admin
19 User_Alias WEBMASTER = %www
20 User_Alias ADMIN = user1, user2
21
22 #
23 #-----------------------------------------------------------------------
24 # Cmnd alias specification
25 #
26
27 # Things we can use to get new shells
28 Cmnd_Alias SU = /usr/bin/su, /sbin/su
29 Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /sbin/sh, \
30 /bin/csh, /usr/bin/csh, \
31 /bin/jsh, /usr/bin/jsh, /sbin/jsh, \
32 /bin/ksh, /usr/bin/ksh
33
34 # Remote/removeable file systems...
35 Cmnd_Alias MOUNT = /sbin/mount, /usr/sbin/mount
36 Cmnd_Alias UMOUNT = /sbin/umount, /usr/sbin/umount
37 Cmnd_Alias DISKS = MOUNT, UMOUNT
38
39 # Filesystem Permissions
40 Cmnd_Alias CHGRP = /usr/bin/chgrp
41 Cmnd_Alias CHMOD = /usr/bin/chmod
42 Cmnd_Alias CHOWN = /usr/bin/chown
43 Cmnd_Alias CP = /usr/bin/cp
44 Cmnd_Alias GZIP = /usr/local/bin/gzip, /usr/local/bin/gunzip
45 Cmnd_Alias LN = /usr/bin/ln
46 Cmnd_Alias MV = /usr/bin/mv
47 Cmnd_Alias RM = /usr/bin/rm
48 Cmnd_Alias FILE_OPS = CHGRP, CHMOD, CHOWN, CP, LN, MV, RM, GZIP
49
50 # Process commands
51 Cmnd_Alias PSTACK = /usr/proc/bin/pstack
52 Cmnd_Alias KILL = /usr/bin/kill
53 Cmnd_Alias PS_OPS = PSTACK, KILL
54
55 # Traffic sniffing
56 Cmnd_Alias SNOOP = /usr/sbin/snoop
57 Cmnd_Alias TCPDUMP = /usr/local/sbin/tcpdump
58 Cmnd_Alias SNIFF = SNOOP, TCPDUMP
59
60 # Web server commands
61 Cmnd_Alias HTTPD_INIT = /etc/init.d/apache*, /etc/init.d/httpd*
62
63 #
64 #-----------------------------------------------------------------------
65 # Defaults Specification
66 #
67
68 # Flags
69 Defaults mail_always
70 Defaults tty_tickets
71 Defaults log_host
72 Defaults log_year
73 Defaults !shell_noargs
74 Defaults fqdn # Requires DNS and may break because
of it
75 Defaults insults
76
77 # Integers
78 Defaults passwd_tries=3
79 Defaults timestamp_timeout=5
80 Defaults passwd_timeout=5
81 Defaults umask=0022
82
83 # Strings
84 Defaults mailsub="*** SECURITY info on %h ***"
85 Defaults at RFC1918_10_8 mailsub="*** SECURITY info on 10.0.0.0/8-%h ***"
86 Defaults at RFC1918_172_12 mailsub="*** SECURITY info on 172.16.0.0/12-%h *
**"
87 Defaults at RFC1918_192_16 mailsub="*** SECURITY info on 192.168.0.0/16-%h
***"
88
89 Defaults timestampdir=/tmp/.odus
90 Defaults timestampowner=root
91 Defaults runas_default=root
92 Defaults syslog_goodpri=notice
93 Defaults syslog_badpri=alert
94
95 # *** This really needs to be changed to a "secure" editor ***
96 Defaults editor=/usr/bin/vi
97
98 # Strings that can act in boolean context...
99 Defaults mailto="root at mydomain.com"
100 Defaults mailerflags="-o db -t"
101 Defaults verifypw=all
102 Defaults listpw=any
103
104 #
105 #-----------------------------------------------------------------------
106 # User privilege specification
107 #
108
109 ROOT ALL = (ALL) ALL
110 ADMIN ALL = (ALL) !SHELLS, !SU, FILE_OPS, PS_OPS, DISKS, SNIFF
111
112 WEBMASTER RFC1918_192_16 = (ALL) HTTPD_INIT
113
114 #
115 #-----------------------------------------------------------------------
116 -- end
On Tue, Jan 20, 2009 at 9:29 PM, Russell Van Tassell
<russell+sudo-users at loosenut.com> >
> Why don't you just integrate the hostnames in to the configuration in a
> meaningful way? Sudo already has syntax provisions for exactly that...
>
> Here's one semi-basic example... apologies for the length -- I just
> swiped it from an old template from a while back.
>
>
More information about the sudo-users
mailing list