[sudo-users] sudo + ldap + high cpu and recursive group member searching.

JR Aquino JR.Aquino at citrixonline.com
Thu Jan 21 08:17:24 EST 2010

I understand that ldap doesn't return values in alpha order, but is it  
really expected for sudo to iterate over all of the users in my group  
after it has found me?

Isn't there a way to have it stop on me?

Again, I am seeing the previously mentioned attributes being  
requested... Member being one of them

On Jan 21, 2010, at 5:04 AM, "Todd C. Miller"  
<Todd.Miller at courtesan.com> wrote:

> You don't specify what version of sudo you are running but I'll
> explain what the current version of sudo (1.7.2p2) does; older
> versions are similar.
> Sudo performs a query for all sudoRole entries that match the user,
> one of the user's groups or ALL.  It may also query sudoRoles entries
> that have a netgroup in them.  It then iterates over the answers
> and matches based on hostname, runas user, and command.
> It is not possible to just return entries with a specific command
> since sudo has very flexible matching rules.  The host may be
> specified by name, by ip address, by network/netmask, by netgroup
> or ALL.  The runas user can be specified by user name, user id,
> Unix group, netmask, or ALL.  Command matching is done based on the
> device and inode of the file on disk, also there may be wildcard
> matching.
> - todd

More information about the sudo-users mailing list