[sudo-users] sudo + ldap + high cpu and recursive group member searching.

Todd C. Miller Todd.Miller at courtesan.com
Thu Jan 21 08:04:49 EST 2010

You don't specify what version of sudo you are running but I'll
explain what the current version of sudo (1.7.2p2) does; older
versions are similar.

Sudo performs a query for all sudoRole entries that match the user,
one of the user's groups or ALL.  It may also query sudoRoles entries
that have a netgroup in them.  It then iterates over the answers
and matches based on hostname, runas user, and command.

It is not possible to just return entries with a specific command
since sudo has very flexible matching rules.  The host may be
specified by name, by ip address, by network/netmask, by netgroup
or ALL.  The runas user can be specified by user name, user id,
Unix group, netmask, or ALL.  Command matching is done based on the
device and inode of the file on disk, also there may be wildcard

 - todd

More information about the sudo-users mailing list