[sudo-users] Does sudoers support an if/else logic structure
Todd C. Miller
Todd.Miller at sudo.ws
Fri Aug 11 10:19:34 MDT 2023
On Fri, 11 Aug 2023 13:04:34 -0000, "sean.dolan--- via sudo-users" wrote:
> Our network consists of both an in-band and out-of-band network
> meaning a box can have multiple NICs with either interface or both.
> We would like to deploy a *common* sudoers throughout our enterprise
> and I was hoping to include logic in the sudoers to use an @include
> directive that includes either the in-band or the out-of-band file
> which would include a list of log_servers applicable to that interface
> (yes, the log_server supports both interfaces). Is this possible?
>
> I can work around it by alternating the list of log_servers from
> one interface to the other and include the log_server_timeout to a
> low value, but it still would result in a "delay" for a machine
> that only has one interface and the first log_server entry does not
> match that interface. Or might there be a better way to achieve
> the result without if/else logic in sudoers?
There's not currently a way to perform conditional logic in sudoers.
I suppose you could use "@include /etc/sudoers.log" and then create
a link from /etc/sudoers.log to the appropriate include file (in-band
or out-of-band) when you distribute sudoers.
What kind of conditional inclusion would you find useful? It may
be possible to add generalized support for running an external
command as part of the include file name. For example,
@include "/etc/sudoers.$(command)"
Something like this could also be useful for the different Alias
types (especially Cmnd_Alias).
- todd
More information about the sudo-users
mailing list