patch to simulate login for sudo
David J. MacKenzie
djm at web.us.uu.net
Tue Sep 12 21:32:51 EDT 2000
I see I should explain a little more the motivation for this patch.
We have over 800 web hosting customers, and we rdist out to all hosts
the same passwd file, which is hashed so libc lookups are fast
(this is on BSD/OS).
Our customer support users are all in group wwwadmin, and our customers
are all in group www.
I'd rather not have to maintain an individual entry in the sudoers
file for every customer, particularly since the file is scanned linearly.
Using my -i option patch, my sudoers file looks like this:
User_Alias WWWADMIN = %wwwadmin
Runas_Alias WWW = %www
Cmnd_Alias SHELL = /bin/sh, /bin/csh, /bin/ksh, /bin/bash, /bin/tcsh, /bin/zsh
WWWADMIN ALL = (WWW) SHELL
That allows the wwwadmin group to run a shell (I could've said ALL commands)
as anyone in the www group. But they can't run a shell as root or as
a sysadmin with higher privileges (like me).
If there were a substitution mechanism in sudoers, then that line could
become something like
WWWADMIN ALL = (WWW) su - ${runas_user}
or if you prefer printf style, something like
WWWADMIN ALL = (WWW) su - %r
So that would be an alternative way to meet our needs, but it seemed
more likely to break backward compatibility and harder to implement..
More information about the sudo-workers
mailing list