Archive for March 26th, 2007
Most people who use *nix systems are probably familiar with sudo. At a customer I’ve been working for there used to be a vast machine park with sudo installations, all slightly different in configuration. Maintaining these configurations was not an easy task. Enter LDAP. Using LDAP for storing the sudo configuration we can now have a single point for configuring sudo, with instant updates on all machines.
I’ll explain what needs to be done to ldap-i-fy your sudo configuration below.
Put the following schema in your ldap config
attributeTypes: ( 126.96.36.199.4.1.159188.8.131.52 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 184.108.40.206.4.1.14220.127.116.11.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 18.104.22.168.4.1.15922.214.171.124 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 126.96.36.199.4.1.14188.8.131.52.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 184.108.40.206.4.1.159220.127.116.11 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 18.104.22.168.4.1.1422.214.171.124.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 126.96.36.199.4.1.159188.8.131.52 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 184.108.40.206.4.1.14220.127.116.11.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 18.104.22.168.4.1.15922.214.171.124 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 126.96.36.199.4.1.14188.8.131.52.26 X-ORIGIN 'SUDO' )
objectClasses: ( 184.108.40.206.4.1.159220.127.116.11 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
Restart your ldap server(s) to include the schema
Build sudo with the configure options ‘–with-ldap=<path$gt;’ and –with-ldap-conf-file=/etc/sudo.ldap
Put new sudo binaries on your system(s)
Create /etc/sudo.ldap with the following contents, replacing the ip’s and dc’s
host 10.20.30.40 10.20.30.50
Create an ldif file with your sudo config (see below for an example)
description: SUDO Configuration Subtree
description: Default sudoOption’s
description: Allowed without password for ALL users
The first block of code contains the container for the rest of the sudo configuration, just leave this as-is. The second block contains the default options for sudo. Configure these to your liking, they are the same as for the non-ldap config, and are documented in the manual-page.
The third code-block lists a sample sudo rule. Repeat these as often as needed. The fields ‘sudohost’, ‘sudocommand’ and ‘sudouser’ are required, ‘sudooption’ is optional, and can override the defaults specified above.
Sudocommand should be repeated for every single executable (or use wildcards, not recommended) you want to enable via sudo. Sudouser can take regular usernames, or unix-group names when prefixed by a percent sign (%).
Please note that although commands can be negated (!/some/binary) there are work-arounds, so please think before acting. Users and Hosts can NOT be negated using ldap-configs… this is a current limitation.
I read this article today about a guy who managed to get Windows Vista and MS-Works refunded for his new Dell PC… All it took was a single e-mail (and a few followups for details). So I think it’s time to try this in the Netherlands too. All in all it adds up to about 77 euro’s… which is nice considering some PC’s and laptops start at 500