[sudo-workers] Using sudo to create roles.....

Parker, Michael D. Michael.D.Parker at ga.com
Thu Jun 23 12:58:47 MDT 2016 

I've run into an interesting situation that sudo almost covers.

I was planning on establishing roles using groups, with group passwords and due to project restrictions I cannot use the NOPASSWD: option for a group.

I was thinking further it might be an interesting idea if  sudo syntax and processing could be extended so that for any given line an option is provided as to which user/group account password is used to authenticate the transaction.  Right now it is restricted to either the user password or the root password and this setting is of global scope.  What is needed is something scoped to the specific sudo line.

The extension of the line syntax could something be like but I can see other alternatives as well:

                username           ALL=(ALL) USEUSERPW:rolemaster /usr/bin/someapp
                username           ALL=(ALL) USEGROUPPW:grouprole /usr/bin/someotherapp

This type of change would make it a lot easier to configure special privs on a role based model from what I can see.

Is this on the change list or even under consideration?

***** ***** *****
Michael D. Parker
General Atomics - EMS
Michael.d.parker at ga.com<mailto:Michael.d.parker at ga.com>  <<<<< NOTE: Remember to include my middle initial >>>>>
+1 858 964 6675 / Office 86-1319 <<<<< NOTE: New Office Location >>>>>
16969 Mesamint Street / San Diego / CA / 92127

************************************************************************
CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the
person(s) to whom it is addressed.  If you are not the intended recipient or the agent of the
intended recipient or if you are unable to deliver this communication to the intended
recipient, you must not read, use or disseminate this information.  If you have received
this communication in error,please advise the sender immediately by telephone and delete
this messageand any attachments without retaining a copy.
*************************************************************************

More information about the sudo-workers mailing list