[sudo-users] Fwd: SUDO centralization based on Server!

pradyumna dash neomatrixgem at gmail.com
Tue Sep 6 16:40:45 EDT 2011


Hi,

Thanks for your suggestion.  Well this is the list which i have prepared for
the test purpose, so i have added yast2 and all other commands which should
not be there in the production server, I just wanted to see whether i can
restrict/allow users to execute
commands based on their groups.

Regards,
Pradyumna



On Tue, Sep 6, 2011 at 10:33 PM, Patrick Spinler
<spinler.patrick at mayo.edu>wrote:

>
> With a suitably recent sudo you can, by using the sudoOrder attribute as
> Todd discussed.
>
> That said, I generally advise against it.  It's very hard to make a
> "everything but this" sort of rule work right.  Frequently, it's easily
> worked around.
>
> In your example, for instance, denying /sbin/route is a) unnecessary,
> because you didn't grant it in the first place, and b) ineffective,
> 'cause you granted permission to run yast/yast2, which can manipulate
> routes anyway.
>
> Instead, I strongly suggest a policy of granting only very carefully
> crafted 'allow' permissions.  This is in general a method that is far
> safer and easier to protect from side effects.
>
> -- Pat
>
> On 09/06/2011 03:21 PM, pradyumna dash wrote:
> > Hi,
> >
> > If i understood correctly, i can't restrict a user from executing some
> > command by centralizing SUDO with OpenLDAP?
> >
> > Regards,
> > Neo
> >
> >
> > On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller
> > <Todd.Miller at courtesan.com <mailto:Todd.Miller at courtesan.com>> wrote:
> >
> >     On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> >
> >     > Someone else will have to chime in to confirm or deny my failing
> >     memory,
> >     > but I do know that when using LDAP in general, there are no
> guarantees
> >     > as to the order that elements are returned from a search; leading
> from
> >     > that, I seem to recall reading somewhere that the behavior of sudo
> >     deny
> >     > rules when pulled from LDAP might not be the same as when reading
> >     rules
> >     > from a file, again 'cause you can't specify or enforce a rule
> order.
> >
> >     That is correct; LDAP does not guarantee the order of the attributes
> >     within a sudoRole.  Newer versions of sudo support a sudoOrder
> >     attribute but that only helps with ordering multiple sudoRoles.
> >
> >      - todd
> >
> >
>
>



More information about the sudo-users mailing list