[sudo-users] New SUDO Schema Expantion

JR Aquino JR.Aquino at citrix.com
Mon Jan 31 10:54:20 EST 2011


On 1/31/11 7:45 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

>On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:
>
>> That is to say, you still need to have a complete Sudo rule full
>> of permits and denies, and the addition of sudoOrder does not change
>> that. It only allows you to supersede 1 complete rule object for
>> another rule object.
>> 
>> That is a lot different than having some allow rule objects and
>> some deny rule objects which are all meant to overlap and provide
>> granular controls via multiple rule objects.
>
>That is certainly the intent, though now that you can specify
>ordering there is nothing to stop you from making the rules more
>granular, other than the pain of maintaining lots of extra rule
>objects.
>
> - todd

Sort of...

The type of granularity I was referring to was cumulative.

For example, what I can't do is:

Setup a rule which says:
sudoUser: jaquino
Permit ALL
SudoOrder: 0

And a granular rule which says:
sudoUser: jaquino
Deny reboot/halt/shutdown
sudoOrder: 1

The desired result being: If I run any command except for
reboot/halt/shutdown.

Except, it would seem in this scenario:

Sudo will Always hit the deny rule with the priority 1, see that there are
no additional Permit lines.

Thus, no matter what command I run, I will always be denied and the permit
rule will never be read.

Correct?




More information about the sudo-users mailing list