[sudo-users] LDAP defaults for commands
Daniele Palumbo
daniele at retaggio.net
Wed Dec 6 15:46:59 MST 2017
This will satisfy
"Defaults:millert !authenticate"
But not
"Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Defaults!PAGERS noexec"
I am trying to sort it out... But I think this is not correct...
# Defaults-PAGERS, SUDOers, courtesan.com
dn: cn=Defaults-PAGERS,ou=SUDOers,dc=courtesan,dc=com <-- will it work? Defaults will be a duplicated, correct?
objectClass: top
objectClass: sudoRole
cn: Defaults-PAGERS
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: ALL
sudoOption: noexec
sudoCommand: /usr/bin/more, /usr/bin/pg, /usr/bin/less <-- I think this will grant the commands to all of the users, am I wrong?
Thanks for the clarification,
Daniele
Il 6 dicembre 2017 23:27:40 CET, "Todd C. Miller" <Todd.Miller at sudo.ws> ha scritto:
>The sudoers LDAP configuration handles the Defaults options
>differently. There is no way to specify a set of options that are
>always applied to a user. Instead, you specify the options inside
>the sudoRole object for that user or group.
>
>For example:
>
># millert, SUDOers, courtesan.com
>dn: cn=millert,ou=SUDOers,dc=courtesan,dc=com
>objectClass: top
>objectClass: sudoRole
>cn: millert
>sudoUser: millert
>sudoRunAsUser: ALL
>sudoRunAsGroup: ALL
>sudoHost: ALL
>sudoOption: !authenticate
>
>would allow user millert to execute any command without authenticating.
>
> - todd
More information about the sudo-users
mailing list