[sudo-workers] Add support for DBIS netservices

Phil Lello phil at dunlop-lello.uk
Wed Aug 19 11:20:19 MDT 2015 

Hi Mark,

Is this not already achievable through the plugin API? If I read the code
correctly, the sudoers file is processed by plugins/sudoers, and it's the
exported functions that control access, e.g. the check_policy callback
described at man sudo_plugin. Or is this more a conversation about defining
a standard plugin that will be accepted by core?

Phil

On Wed, Aug 19, 2015 at 10:00 AM, Bannister, Mark <
Mark.Bannister at morganstanley.com> wrote:

> Hi Todd et al,
>
> I'd like to start a discussion about adding support into sudo for a new
> feature that could be used instead of netgroups in a sudo configuration to
> determine who can run sudo and what they can do with it.  Let me explain.
>
> In 2013 I set out to replace RFC2307/RFC2307bis & NIS with a new
> collection of IETF internet drafts - to fix some problems in the original
> LDAP schema and also to add some new features.
>
> One of the new features in DBIS is called 'netservices' and the idea is to
> simplify the way that netgroups are used today.  I have seen several large
> enterprise environments over the past decade with tens of thousands of
> netgroups that are difficult to maintain and even more difficult to audit
> because netgroups are being used to represent not just groups of users or
> hosts (as they were originally intended) but also roles and permissions.
>
> The idea of netservices is to define the roles and permissions in a
> separate hierarchical model that is distinct to netgroups, leaving
> netgroups to do what they do best (grouping together users or hosts).
>
> If sudo were to support netservices, we would need a way in a sudo
> configuration of saying 'if the user has this netservice then they can run
> this task under sudo' or 'if the host has this netservice then sudo is
> allowed or disallowed'.
>
> DBIS is also a user-land caching daemon written in Python that is
> responsible for all communication with LDAP and caching of results, an NSS
> library that uses the caching daemon for looking up all NSS data in LDAP,
> and a set of APIs for external programs to make use of DBIS.  There is a
> Python and Perl API at present, and I am working on the C API at the
> moment, so I wanted to kick off this discussion to see what shape the C API
> should take to best suit sudo.
>
> You can read all about DBIS here: http://dbis.sf.net which also contains
> links to the related IETF internet drafts and provides download links so
> you can download it and kick the tyres.
> Netservices are defined specifically in section 3.2 here:
> http://www.ietf.org/id/draft-bannister-dbis-netgroup-05.txt
> I have a blog article all about netservices here:
> http://technicalprose.blogspot.co.uk/2013/08/dbis-introducing-netservices.html
>
> What do you think?  Do you have any questions?  I am aware that the
> documentation around the subject of netservices could do with some
> improvement, so I'd be interested to hear if you need more explanation.
>
> Best regards,
> Mark Bannister.
>
>
>
> ________________________________
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. If you have received this
> communication in error, please destroy all electronic and paper copies; do
> not disclose, use or act upon the information; and notify the sender
> immediately. Mistransmission is not intended to waive confidentiality or
> privilege. Morgan Stanley reserves the right, to the extent permitted under
> applicable law, to monitor electronic communications. This message is
> subject to terms available at the following link:
> http://www.morganstanley.com/disclaimers If you cannot access these
> links, please notify us by reply message and we will send the contents to
> you. By messaging with Morgan Stanley you consent to the foregoing.
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
>

More information about the sudo-workers mailing list