[sudo-users] New SUDO Schema Expantion

JR Aquino JR.Aquino at citrix.com
Mon Jan 31 11:12:51 EST 2011

On 1/31/11 7:54 AM, "JR Aquino" <JR.Aquino at citrix.com> wrote:

>On 1/31/11 7:45 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:
>>On Mon, 31 Jan 2011 15:04:23 GMT, JR Aquino wrote:
>>> That is to say, you still need to have a complete Sudo rule full
>>> of permits and denies, and the addition of sudoOrder does not change
>>> that. It only allows you to supersede 1 complete rule object for
>>> another rule object.
>>> That is a lot different than having some allow rule objects and
>>> some deny rule objects which are all meant to overlap and provide
>>> granular controls via multiple rule objects.
>>That is certainly the intent, though now that you can specify
>>ordering there is nothing to stop you from making the rules more
>>granular, other than the pain of maintaining lots of extra rule
>> - todd
>Sort of...
>The type of granularity I was referring to was cumulative.
>For example, what I can't do is:
>Setup a rule which says:
>sudoUser: jaquino
>Permit ALL
>SudoOrder: 0
>And a granular rule which says:
>sudoUser: jaquino
>Deny reboot/halt/shutdown
>sudoOrder: 1
>The desired result being: If I run any command except for
>Except, it would seem in this scenario:
>Sudo will Always hit the deny rule with the priority 1, see that there are
>no additional Permit lines.
>Thus, no matter what command I run, I will always be denied and the permit
>rule will never be read.

Ack, I should have given a better example:

#Deny object
sudoUser: jaquino
deny: ALL
sudoOrder: 1

#Permit Object
sudoUser: jaquino
Permit: reboot/halt/shutdown
sudoOrder: 0 <- or with no sudoOrder Attribute set at all, which should
also == 0.0 I believe.

In cases where the higher ordered rule matches, it will match stop and
won't ever see that there is a different more permissive rule...


More information about the sudo-users mailing list