[sudo-users] New SUDO Schema Expantion

Todd C. Miller Todd.Miller at courtesan.com
Mon Jan 31 10:45:14 EST 2011


On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:

> That is to say, you still need to have a complete Sudo rule full
> of permits and denies, and the addition of sudoOrder does not change
> that. It only allows you to supersede 1 complete rule object for
> another rule object.
> 
> That is a lot different than having some allow rule objects and
> some deny rule objects which are all meant to overlap and provide
> granular controls via multiple rule objects.

That is certainly the intent, though now that you can specify
ordering there is nothing to stop you from making the rules more
granular, other than the pain of maintaining lots of extra rule
objects.

 - todd



More information about the sudo-users mailing list