[sudo-users] sudo + ldap + high cpu and recursive group member searching.
JR Aquino
JR.Aquino at citrixonline.com
Thu Jan 21 08:17:24 EST 2010
I understand that ldap doesn't return values in alpha order, but is it
really expected for sudo to iterate over all of the users in my group
after it has found me?
Isn't there a way to have it stop on me?
Again, I am seeing the previously mentioned attributes being
requested... Member being one of them
On Jan 21, 2010, at 5:04 AM, "Todd C. Miller"
<Todd.Miller at courtesan.com> wrote:
> You don't specify what version of sudo you are running but I'll
> explain what the current version of sudo (1.7.2p2) does; older
> versions are similar.
>
> Sudo performs a query for all sudoRole entries that match the user,
> one of the user's groups or ALL. It may also query sudoRoles entries
> that have a netgroup in them. It then iterates over the answers
> and matches based on hostname, runas user, and command.
>
> It is not possible to just return entries with a specific command
> since sudo has very flexible matching rules. The host may be
> specified by name, by ip address, by network/netmask, by netgroup
> or ALL. The runas user can be specified by user name, user id,
> Unix group, netmask, or ALL. Command matching is done based on the
> device and inode of the file on disk, also there may be wildcard
> matching.
>
> - todd
More information about the sudo-users
mailing list