[sudo-workers] Policy Plugins

Michael horse_dung at hotmail.com
Fri May 6 04:40:42 MDT 2016

I'm wondering why we can only have a single policy plugin?  Are there any issues with having multiple plugins defined?  I see a few obvious options:

1. Explict authorisation from any plugin

This is probably the most commonly expected behaviour.  Each policy plugin is tried in the order they appear in the configuration file.  If a plugin allows the command then it is executed and searching stops.  This would allow a break glass configuration of sudoers rules and an enterprise policy plugin that uses a centralised policy server etc.

2. Explicit authorisation from all plugins

Each policy plugin is tried in the order they appear in the configuration file.  If any plugin disallows the command then it is not executed.  This could be used to provide enhanced authentication requirements.  A plugin could determine if/when additional authentication is required and challenge for it, but leaving the general policy requirements to another plugin.  (For example, a simple plugin could be written that challenges a user for their Google Authenticator code)

3. Explicit authorisation from any plugin with opportunity for explicit deny from any plugin

Much like 1 except after the first plugin that is willing to allow the command is successful all plugins are then re-checked to make sure none of them explicitly deny the command.  This would probably need a new interface / method to be called so the plugin name, the pre and post command/environment etc can be passed.  This would be more flexible as it provides the ability to deny commands based on policy rather than just allow them.

1 + 2 would be quite simple to implement.  I am willing to help do that assuming people see some value in it and I've not missed some long debate on this topic?

Thanks, Mike

More information about the sudo-workers mailing list