[sudo-users] Fwd: SUDO centralization based on Server!
Patrick Spinler
spinler.patrick at mayo.edu
Tue Sep 6 16:33:31 EDT 2011
With a suitably recent sudo you can, by using the sudoOrder attribute as
Todd discussed.
That said, I generally advise against it. It's very hard to make a
"everything but this" sort of rule work right. Frequently, it's easily
worked around.
In your example, for instance, denying /sbin/route is a) unnecessary,
because you didn't grant it in the first place, and b) ineffective,
'cause you granted permission to run yast/yast2, which can manipulate
routes anyway.
Instead, I strongly suggest a policy of granting only very carefully
crafted 'allow' permissions. This is in general a method that is far
safer and easier to protect from side effects.
-- Pat
On 09/06/2011 03:21 PM, pradyumna dash wrote:
> Hi,
>
> If i understood correctly, i can't restrict a user from executing some
> command by centralizing SUDO with OpenLDAP?
>
> Regards,
> Neo
>
>
> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller
> <Todd.Miller at courtesan.com <mailto:Todd.Miller at courtesan.com>> wrote:
>
> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
>
> > Someone else will have to chime in to confirm or deny my failing
> memory,
> > but I do know that when using LDAP in general, there are no guarantees
> > as to the order that elements are returned from a search; leading from
> > that, I seem to recall reading somewhere that the behavior of sudo
> deny
> > rules when pulled from LDAP might not be the same as when reading
> rules
> > from a file, again 'cause you can't specify or enforce a rule order.
>
> That is correct; LDAP does not guarantee the order of the attributes
> within a sudoRole. Newer versions of sudo support a sudoOrder
> attribute but that only helps with ordering multiple sudoRoles.
>
> - todd
>
>
More information about the sudo-users
mailing list