[sudo-users] #include with UID / GID or something

Michael Ströder michael at stroeder.com
Fri Jul 27 16:17:18 MDT 2018

On 07/27/2018 11:47 PM, Todd C. Miller wrote:
> On Fri, 27 Jul 2018 19:21:08 +0200, =?UTF-8?Q?Michael_Str=c3=b6der?= wrote:
>> # sudo -l -U viic
>> sudo: ignoring duplicate policy plugin "sudoers_policy" in
>> /etc/sudo.conf, line 2
>> sudo: fatal error, unable to load plugins
>> Is there a security reason for this?
>> Or is it simply not possible for sudo to manage multiple instances of
>> the same plugin?
> You cannot have more than one instance of a plugin with the same
> symbol_name.  Even if you could, sudo currently only allows a single
> policy plugin.
> Do you really need to have more than one sudoers policies?  If you
> need to have local-only rules, why not just use an include file?

The above was my rather naive attempt to circumvent the root ownership 
requirement for one included file. Mainly for illustrating what I'd like 
to achieve.

Of course it would be nice to have optional arguments to a #include or 
#includedir statement to explicitly specify the owner's UID and GID of 
included file(s).

Something like this:

#include /var/lib/aehostd/sudoers-export sudoers_uid=369 sudoers_gid=369

Ciao, Michael.

More information about the sudo-users mailing list