[PLUG] sudoers confusion

Wed Nov 26 13:37:02 UTC 2003

In many environments there are several boxes that the same group of users
use for, say, development lifesyscle. You might have a dev, test, and
production box, all with the same sudoers file. If you version your sudoers
file, which is a good idea, you would benefit from having it all in one file
because you would have one place to look for things and one place to make
changes. You could keep your severs in sync with this file by implementing
an automated deployment process. If you use CVS, perhaps you would use the
loginfo file in CVSROOT to kick off the automated deployment process each
time the sudoers file is updated.

-Rob Anderson

>-----Original Message-----
>From: Brian Quade [mailto:serendipity at pobox.com] 
>Sent: Wednesday, November 26, 2003 9:46 AM
>To: plug at lists.pdxlinux.org
>Subject: Re: [PLUG] sudoers confusion
>
>
>Using the same sudoers file for every host on a network seems 
>like a bad 
>approach to me.  It's just like the DNS problem.  DNS servers exist 
>because static hosts files are not adequate to answer queries for a 
>whole network because they become outdated over time.  But sudoers is 
>not a server, it is just a static local file, so it doesn't really 
>provide information for the entire network, only for individual hosts. 
> So if sudoers permissions change, then the sys admin would have no 
>choice but to copy the global sudoers file to every host on 
>the network 
>again.  This just puts a bunch on information on each host, most of 
>which has nothing to do with those hosts.  I can't see any benefit to 
>that.  Does anyone know of a reason why I might not want to create a 
>unique suoders file for every host on my network and maintain them 
>separately?
>
>
>
>Steve Bonds wrote:
>
>>On Tue, 25 Nov 2003, Brian Quade serendipity-at-pobox.com |PDX Linux| 
>>wrote:
>>
>>>How can a sudoers file on one machine control permissions for other 
>>>machines on the network?
>>>
>>
>>It can't.  More below...
>>
>>>Isn't it true that if I try to execute some commands on 
>another host, 
>>>it would be that other host that determines my permissions, not the 
>>>sudoers file on my machine or any other host on the network?
>>>
>>
>>Yes.
>>
>>>I guess my main question is: Does a sudoers file only determine 
>>>permissions for users executing commands on the host where 
>the sudoers 
>>>file exists,
>>>
>>
>>Yes.
>>
>>>or does it only determine permissions for users who are logged into 
>>>the host where the sudoers file is,
>>>
>>
>>Isn't this the same question as before or did I misunderstand you?  
>>Sudo only controls execution of commands so the login vs. execute 
>>distinction doesn't apply.
>>
>>>or can it determine permissions for machines that the user 
>is neither 
>>>logged into nor trying to execute commands on?
>>>
>>
>>Only if the sudoers file exists on that system too.
>>
>>The reason hostnames exist in the sudoers file is so the exact same 
>>file can be copied to many systems.  If the hostname entry in the 
>>sudoers file doesn't match the local host name, that entry is ignored.
>>
>>For example in this hypothetical sudoers file:
>>
>>----- /etc/sudoers
>>bigadmin ALL=(ALL) ALL
>>midadmin host01,host02=(ALL) ALL
>>smalladmin host01=(ALL) ALL
>>-----
>>
>>This file has been coped to /etc/sudoers on host01, host02, 
>and host03.
>>
>>On host01, all three users can run any command as any user.  
>On host02, 
>>only midadmin and bigadmin can run any command.  Smalladmin has no 
>>capabilities at all when running sudo on host02.  On host03, only 
>>bigadmin can run commands via sudo.
>>
>>The sudo documentation does a poor job of explaining this.
>>
>>  -- Steve
>>
>>_______________________________________________
>>PLUG mailing list
>>PLUG at lists.pdxlinux.org 
>http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
>
>
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>