[sudo-users] Fwd: SUDO centralization based on Server!
pradyumna dash
neomatrixgem at gmail.com
Tue Sep 6 16:40:45 EDT 2011
Hi,
Thanks for your suggestion. Well this is the list which i have prepared for
the test purpose, so i have added yast2 and all other commands which should
not be there in the production server, I just wanted to see whether i can
restrict/allow users to execute
commands based on their groups.
Regards,
Pradyumna
On Tue, Sep 6, 2011 at 10:33 PM, Patrick Spinler
<spinler.patrick at mayo.edu>wrote:
>
> With a suitably recent sudo you can, by using the sudoOrder attribute as
> Todd discussed.
>
> That said, I generally advise against it. It's very hard to make a
> "everything but this" sort of rule work right. Frequently, it's easily
> worked around.
>
> In your example, for instance, denying /sbin/route is a) unnecessary,
> because you didn't grant it in the first place, and b) ineffective,
> 'cause you granted permission to run yast/yast2, which can manipulate
> routes anyway.
>
> Instead, I strongly suggest a policy of granting only very carefully
> crafted 'allow' permissions. This is in general a method that is far
> safer and easier to protect from side effects.
>
> -- Pat
>
> On 09/06/2011 03:21 PM, pradyumna dash wrote:
> > Hi,
> >
> > If i understood correctly, i can't restrict a user from executing some
> > command by centralizing SUDO with OpenLDAP?
> >
> > Regards,
> > Neo
> >
> >
> > On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller
> > <Todd.Miller at courtesan.com <mailto:Todd.Miller at courtesan.com>> wrote:
> >
> > On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> >
> > > Someone else will have to chime in to confirm or deny my failing
> > memory,
> > > but I do know that when using LDAP in general, there are no
> guarantees
> > > as to the order that elements are returned from a search; leading
> from
> > > that, I seem to recall reading somewhere that the behavior of sudo
> > deny
> > > rules when pulled from LDAP might not be the same as when reading
> > rules
> > > from a file, again 'cause you can't specify or enforce a rule
> order.
> >
> > That is correct; LDAP does not guarantee the order of the attributes
> > within a sudoRole. Newer versions of sudo support a sudoOrder
> > attribute but that only helps with ordering multiple sudoRoles.
> >
> > - todd
> >
> >
>
>
More information about the sudo-users
mailing list