[sudo-users] LDAP defaults for commands
Todd C. Miller
Todd.Miller at sudo.ws
Wed Dec 6 15:52:24 MST 2017
On Wed, 06 Dec 2017 23:46:59 +0100, Daniele Palumbo wrote:
> This will satisfy
>
> "Defaults:millert !authenticate"
>
> But not
> "Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
> Defaults!PAGERS noexec"
>
> I am trying to sort it out... But I think this is not correct...
>
> # Defaults-PAGERS, SUDOers, courtesan.com
> dn: cn=Defaults-PAGERS,ou=SUDOers,dc=courtesan,dc=com <-- will it work?
> Defaults will be a duplicated, correct?
> objectClass: top
> objectClass: sudoRole
> cn: Defaults-PAGERS
> sudoRunAsUser: ALL
> sudoRunAsGroup: ALL
> sudoHost: ALL
> sudoOption: noexec
> sudoCommand: /usr/bin/more, /usr/bin/pg, /usr/bin/less <-- I think this will
> grant the commands to all of the users, am I wrong?
That sudoRole will never match a query because there is no sudoUser
in it. You would need to add one or more sudoUser entries to grant
the privileges to a user or group of users.
Unfortunately, there is no way to specify per-command options in
sudoers LDAP. The options are either global or specific to a given
sudoRole.
- todd
More information about the sudo-users
mailing list