[PLUG] sudoers confusion

Brian Quade serendipity at pobox.com
Wed Nov 26 09:50:29 UTC 2003 

Using the same sudoers file for every host on a network seems like a bad 
approach to me.  It's just like the DNS problem.  DNS servers exist 
because static hosts files are not adequate to answer queries for a 
whole network because they become outdated over time.  But sudoers is 
not a server, it is just a static local file, so it doesn't really 
provide information for the entire network, only for individual hosts. 
 So if sudoers permissions change, then the sys admin would have no 
choice but to copy the global sudoers file to every host on the network 
again.  This just puts a bunch on information on each host, most of 
which has nothing to do with those hosts.  I can't see any benefit to 
that.  Does anyone know of a reason why I might not want to create a 
unique suoders file for every host on my network and maintain them 
separately?



Steve Bonds wrote:

>On Tue, 25 Nov 2003, Brian Quade serendipity-at-pobox.com |PDX Linux| wrote:
>
>>How can a sudoers file on one machine control permissions for
>>other machines on the network?
>>
>
>It can't.  More below...
>
>>Isn't it true that if I try to execute some commands on another host, it
>>would be that other host that determines my permissions, not the sudoers
>>file on my machine or any other host on the network?
>>
>
>Yes.
>
>>I guess my main question is: Does a sudoers file only determine
>>permissions for users executing commands on the host where the sudoers
>>file exists,
>>
>
>Yes.
>
>>or does it only determine permissions for users who are logged into the
>>host where the sudoers file is,
>>
>
>Isn't this the same question as before or did I misunderstand you?  Sudo
>only controls execution of commands so the login vs. execute distinction
>doesn't apply.
>
>>or can it determine permissions for machines that the user is neither
>>logged into nor trying to execute commands on?
>>
>
>Only if the sudoers file exists on that system too.
>
>The reason hostnames exist in the sudoers file is so the exact same file
>can be copied to many systems.  If the hostname entry in the sudoers file
>doesn't match the local host name, that entry is ignored.
>
>For example in this hypothetical sudoers file:
>
>----- /etc/sudoers
>bigadmin ALL=(ALL) ALL
>midadmin host01,host02=(ALL) ALL
>smalladmin host01=(ALL) ALL
>-----
>
>This file has been coped to /etc/sudoers on host01, host02, and host03.
>
>On host01, all three users can run any command as any user.  On host02,
>only midadmin and bigadmin can run any command.  Smalladmin has no
>capabilities at all when running sudo on host02.  On host03, only bigadmin
>can run commands via sudo.
>
>The sudo documentation does a poor job of explaining this.
>
>  -- Steve
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list