[sudo-users] Fwd: SUDO centralization based on Server!

Patrick Spinler spinler.patrick at mayo.edu
Tue Sep 6 16:33:31 EDT 2011

With a suitably recent sudo you can, by using the sudoOrder attribute as
Todd discussed.

That said, I generally advise against it.  It's very hard to make a
"everything but this" sort of rule work right.  Frequently, it's easily
worked around.

In your example, for instance, denying /sbin/route is a) unnecessary,
because you didn't grant it in the first place, and b) ineffective,
'cause you granted permission to run yast/yast2, which can manipulate
routes anyway.

Instead, I strongly suggest a policy of granting only very carefully
crafted 'allow' permissions.  This is in general a method that is far
safer and easier to protect from side effects.

-- Pat

On 09/06/2011 03:21 PM, pradyumna dash wrote:
> Hi,
> If i understood correctly, i can't restrict a user from executing some
> command by centralizing SUDO with OpenLDAP?
> Regards,
> Neo
> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller
> <Todd.Miller at courtesan.com <mailto:Todd.Miller at courtesan.com>> wrote:
>     On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
>     > Someone else will have to chime in to confirm or deny my failing
>     memory,
>     > but I do know that when using LDAP in general, there are no guarantees
>     > as to the order that elements are returned from a search; leading from
>     > that, I seem to recall reading somewhere that the behavior of sudo
>     deny
>     > rules when pulled from LDAP might not be the same as when reading
>     rules
>     > from a file, again 'cause you can't specify or enforce a rule order.
>     That is correct; LDAP does not guarantee the order of the attributes
>     within a sudoRole.  Newer versions of sudo support a sudoOrder
>     attribute but that only helps with ordering multiple sudoRoles.
>      - todd

More information about the sudo-users mailing list