[sudo-users] New SUDO Schema Expantion

JR Aquino JR.Aquino at citrix.com
Mon Jan 31 10:04:23 EST 2011


On Jan 31, 2011, at 6:37 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

> On Sun, 30 Jan 2011 21:42:43 EST, Dmitri Pal wrote:
> 
>> How you envision people to migrate from the current version to the one
>> that supports order attribute?
>> Having order attribute for a subset of entries during gradual slow
>> migration can lead to unpredictable results on the clients.
>> Do you expect people to reload their SUDO rules if they want to take
>> advantage of the feature so that all the entries get the order
>> attribute? But then it should be mandatory, right?
> 
> People who wish to take advantage of sudoOrder need to update their
> entries in LDAP.  Ordering is really only important when there are
> overlapping rules which is likely to only affect a subset of the
> rules.
> 
> - todd

Thanks Todd!

I suspect it's worth remembering that Sudo does not handle ldap rules as a cumulative.

That is to say, you still need to have a complete Sudo rule full of permits and denies, and the addition of sudoOrder does not change that. It only allows you to supersede 1 complete rule object for another rule object.

That is a lot different than having some allow rule objects and some deny rule objects which are all meant to overlap and provide granular controls via multiple rule objects.

Is this correct? 



More information about the sudo-users mailing list