Recipe 5.6 Authorizing per Host in sudo

5.6.1 Problem

You want to allow a user authorization privileges only on certain machines.

5.6.2 Solution

First, define a list of machines:

/etc/sudoers: Host_Alias  SAFE_HOSTS = avocado, banana, cherry

Let smith run a program as jones on these machines:

smith  SAFE_HOSTS = (jones) /usr/local/bin/mycommand

Let smith run all programs as jones on these machines:

smith  SAFE_HOSTS = (jones) ALL

As an alternative, you can define a netgroup, in the /etc/netgroup file:

safe-hosts (avocado,-,-) (banana,-,-) (cherry,-,-)

Then use the netgroup in the /etc/sudoers file, with the "+" prefix:

Host_Alias  SAFE_HOSTS = +safe-hosts

You can also use the netgroup in place of the host alias:

smith  +safe_hosts = (jones) ALL

5.6.3 Discussion

This recipe assumes you have centralized your sudo configuration: the same sudoers file on all your computers. If not, you could grant per-machine privileges by installing a different sudoers file on each machine.

Netgroups can be useful for centralization if they are implemented as a shared NIS database. In that case, you can update the machines in netgroups without changing your /etc/sudoers files.

The host alias is optional but helpful for organizing your sudoers file, so you needn't retype the set of hostnames repeatedly.

As another example, you could let users administer their own machines but not others:

/etc/sudoers: bob bobs_machine = ALL gert gerts_machine = ALL ernie ernies_machine = ALL

(Though this is perhaps pointless infrastructure, since ALL would permit these people to modify their /etc/sudoers file and their root password.)

5.6.4 See Also

sudo(8), sudoers(5).



Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net