[sudo-users] #include with UID / GID or something
Michael Ströder
michael at stroeder.com
Fri Jul 27 11:21:08 MDT 2018
HI!
I'm currently implementing an approach where I sync the LDAP entries to
local sudoers files (converted from LDIF with cvtsudoers). The sync
component is built into a custom NSS/PAM demon for sharing the same
persistent LDAP connection and this shall run as unprivileged user.
Now in /etc/sudoers I can include files (with #include) or directories
(with #includedir). By default all included files must be owned by root.
This would require my component to have additional helper stuff running
as root reliably picking up and moving files. I'd like to avoid that for
reduced complexity.
Now I've tried using sudoers_uid and sudoers_gid in /etc/sudo.conf like
this (lines wrapped herein):
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers
Plugin sudoers_policy sudoers.so
sudoers_file=/var/lib/aehostd/ae-dir-sudoers-export sudoers_mode=0440
sudoers_uid=369 sudoers_gid=369
But that does not work either:
# sudo -l -U viic
sudo: ignoring duplicate policy plugin "sudoers_policy" in
/etc/sudo.conf, line 2
sudo: fatal error, unable to load plugins
Is there a security reason for this?
Or is it simply not possible for sudo to manage multiple instances of
the same plugin?
Any solution would be appreciated.
Ciao, Michael.
P.S.: Another solution would be a well-defined protocol for querying
sudoers entries over Unix domain socket without requiring another
3rd-party lib (like sssd sudoers lib). But this seems way more work.
More information about the sudo-users
mailing list