[sudo-users] Host negation

Gunjan Varshney Gunjan.Varshney at VERIFONE.com
Wed Sep 14 12:35:44 MDT 2016

That is correct. This is because a gold image OS is baked and given to operations and they bring up infrastructure using that image without me coming  into picture.

Possibly I can think of a solution where I create 2 sudoers trees - 1 for 'certain hosts' and other for 'other hosts' in the same LDAP. Do you see any problem with this approach.


-----Original Message-----
From: Michael Ströder [mailto:michael at stroeder.com] 
Sent: Wednesday, September 14, 2016 1:05 AM
To: Gunjan Varshney <Gunjan.Varshney at VERIFONE.com>
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Host negation

Gunjan Varshney wrote:
> A role superadmins (example, I created this role in sudoers) should be 
> applicable to certain hosts but not others. I know CIDR of 'other 
> hosts' but on these hosts I do not want super admins.

I suspect that if you don't know the IP addresses of all allowed hosts you can also not be sure that the set of 'other hosts' is not extended later without you noticing it.

Yet another case which clearly shows:
In general rule negation is bad practice!

Ciao, Michael.

More information about the sudo-users mailing list