[sudo-users] New SUDO Schema Expantion
JR Aquino
JR.Aquino at citrix.com
Mon Jan 31 10:54:20 EST 2011
On 1/31/11 7:45 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:
>On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:
>
>> That is to say, you still need to have a complete Sudo rule full
>> of permits and denies, and the addition of sudoOrder does not change
>> that. It only allows you to supersede 1 complete rule object for
>> another rule object.
>>
>> That is a lot different than having some allow rule objects and
>> some deny rule objects which are all meant to overlap and provide
>> granular controls via multiple rule objects.
>
>That is certainly the intent, though now that you can specify
>ordering there is nothing to stop you from making the rules more
>granular, other than the pain of maintaining lots of extra rule
>objects.
>
> - todd
Sort of...
The type of granularity I was referring to was cumulative.
For example, what I can't do is:
Setup a rule which says:
sudoUser: jaquino
Permit ALL
SudoOrder: 0
And a granular rule which says:
sudoUser: jaquino
Deny reboot/halt/shutdown
sudoOrder: 1
The desired result being: If I run any command except for
reboot/halt/shutdown.
Except, it would seem in this scenario:
Sudo will Always hit the deny rule with the priority 1, see that there are
no additional Permit lines.
Thus, no matter what command I run, I will always be denied and the permit
rule will never be read.
Correct?
More information about the sudo-users
mailing list