[sudo-workers] Add support for DBIS netservices

Bannister, Mark Mark.Bannister at morganstanley.com
Wed Aug 19 03:00:07 MDT 2015

Hi Todd et al,

I'd like to start a discussion about adding support into sudo for a new feature that could be used instead of netgroups in a sudo configuration to determine who can run sudo and what they can do with it.  Let me explain.

In 2013 I set out to replace RFC2307/RFC2307bis & NIS with a new collection of IETF internet drafts - to fix some problems in the original LDAP schema and also to add some new features.

One of the new features in DBIS is called 'netservices' and the idea is to simplify the way that netgroups are used today.  I have seen several large enterprise environments over the past decade with tens of thousands of netgroups that are difficult to maintain and even more difficult to audit because netgroups are being used to represent not just groups of users or hosts (as they were originally intended) but also roles and permissions.

The idea of netservices is to define the roles and permissions in a separate hierarchical model that is distinct to netgroups, leaving netgroups to do what they do best (grouping together users or hosts).

If sudo were to support netservices, we would need a way in a sudo configuration of saying 'if the user has this netservice then they can run this task under sudo' or 'if the host has this netservice then sudo is allowed or disallowed'.

DBIS is also a user-land caching daemon written in Python that is responsible for all communication with LDAP and caching of results, an NSS library that uses the caching daemon for looking up all NSS data in LDAP, and a set of APIs for external programs to make use of DBIS.  There is a Python and Perl API at present, and I am working on the C API at the moment, so I wanted to kick off this discussion to see what shape the C API should take to best suit sudo.

You can read all about DBIS here: http://dbis.sf.net which also contains links to the related IETF internet drafts and provides download links so you can download it and kick the tyres.
Netservices are defined specifically in section 3.2 here: http://www.ietf.org/id/draft-bannister-dbis-netgroup-05.txt
I have a blog article all about netservices here: http://technicalprose.blogspot.co.uk/2013/08/dbis-introducing-netservices.html

What do you think?  Do you have any questions?  I am aware that the documentation around the subject of netservices could do with some improvement, so I'd be interested to hear if you need more explanation.

Best regards,
Mark Bannister.


NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

More information about the sudo-workers mailing list