[sudo-users] #include with UID / GID or something

Michael Ströder michael at stroeder.com
Fri Jul 27 11:21:08 MDT 2018


I'm currently implementing an approach where I sync the LDAP entries to 
local sudoers files (converted from LDIF with cvtsudoers). The sync 
component is built into a custom NSS/PAM demon for sharing the same 
persistent LDAP connection and this shall run as unprivileged user.

Now in /etc/sudoers I can include files (with #include) or directories 
(with #includedir). By default all included files must be owned by root. 
This would require my component to have additional helper stuff running 
as root reliably picking up and moving files. I'd like to avoid that for 
reduced complexity.

Now I've tried using sudoers_uid and sudoers_gid in /etc/sudo.conf like 
this (lines wrapped herein):

Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers
Plugin sudoers_policy sudoers.so 
sudoers_file=/var/lib/aehostd/ae-dir-sudoers-export sudoers_mode=0440 
sudoers_uid=369 sudoers_gid=369

But that does not work either:

# sudo -l -U viic
sudo: ignoring duplicate policy plugin "sudoers_policy" in 
/etc/sudo.conf, line 2
sudo: fatal error, unable to load plugins

Is there a security reason for this?
Or is it simply not possible for sudo to manage multiple instances of 
the same plugin?

Any solution would be appreciated.

Ciao, Michael.

P.S.: Another solution would be a well-defined protocol for querying 
sudoers entries over Unix domain socket without requiring another 
3rd-party lib (like sssd sudoers lib). But this seems way more work.

More information about the sudo-users mailing list