[sudo-users] New SUDO Schema Expantion
JR.Aquino at citrix.com
Mon Jan 31 10:54:20 EST 2011
On 1/31/11 7:45 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:
>On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:
>> That is to say, you still need to have a complete Sudo rule full
>> of permits and denies, and the addition of sudoOrder does not change
>> that. It only allows you to supersede 1 complete rule object for
>> another rule object.
>> That is a lot different than having some allow rule objects and
>> some deny rule objects which are all meant to overlap and provide
>> granular controls via multiple rule objects.
>That is certainly the intent, though now that you can specify
>ordering there is nothing to stop you from making the rules more
>granular, other than the pain of maintaining lots of extra rule
> - todd
The type of granularity I was referring to was cumulative.
For example, what I can't do is:
Setup a rule which says:
And a granular rule which says:
The desired result being: If I run any command except for
Except, it would seem in this scenario:
Sudo will Always hit the deny rule with the priority 1, see that there are
no additional Permit lines.
Thus, no matter what command I run, I will always be denied and the permit
rule will never be read.
More information about the sudo-users