[sudo-users] Netgroups and host+user pairings

Mahlon E. Smith mahlon at martini.nu
Wed Mar 24 18:44:31 EDT 2010


I'm transitioning a bunch of CFEngine-pushed sudoers files into LDAP.
Very exciting!

Among this aged, organically grown pile of sudo spaghetti (spaghetto?
sughetti?) is a bunch of "this user has root on their own machine" style
rules, which will (unfortunately) be carried over.

We're using netgroups (via LDAP) extensively, for nearly everything host
related in this environment.  What I'd really like to do is have a one
to one mapping of:


in a single netgroup -- lets call it 'local_sudo'.

Then, a single sudoRole LDAP entry that specifies:

    +local_sudo +local_sudo = (root) ALL   (or whatever)

Of course, this says any user in that netgroup can gain root on any
machine in that netgroup.  Whoops.

I saw a similar thread on this list about this, circa 2003.  I don't
see anything in the documentation for a different syntax to "pivot" the
meaning of the netgroup from a matrix, to a one-to-one match.

I obviously can create separate sudoRole entries for each host->user
relationship -- just trying to simplify.

Is such a thing possible in sudo nowadays?  From a netgroup perspective,
it seems like a useful way to do this -- using netgroups for login
roles, for example, would behave in the 'one-to-one' fashion.

Mahlon E. Smith  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20100324/9233a749/attachment.bin>

More information about the sudo-users mailing list