[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-workers
Subject:    [sudo-workers] Using sudo to create roles.....
From:       "Parker, Michael D." <Michael.D.Parker () ga ! com>
Date:       2016-06-23 18:58:47
Message-ID: 2ba6e81b856c4bd4870aa4828693c6bb () ASGEXCPWP01 ! ga ! com
[Download RAW message or body]

I've run into an interesting situation that sudo almost covers.

I was planning on establishing roles using groups, with group passwords and due to \
project restrictions I cannot use the NOPASSWD: option for a group.

I was thinking further it might be an interesting idea if  sudo syntax and processing \
could be extended so that for any given line an option is provided as to which \
user/group account password is used to authenticate the transaction.  Right now it is \
restricted to either the user password or the root password and this setting is of \
global scope.  What is needed is something scoped to the specific sudo line.

The extension of the line syntax could something be like but I can see other \
alternatives as well:

                username           ALL=(ALL) USEUSERPW:rolemaster /usr/bin/someapp
                username           ALL=(ALL) USEGROUPPW:grouprole \
/usr/bin/someotherapp

This type of change would make it a lot easier to configure special privs on a role \
based model from what I can see.

Is this on the change list or even under consideration?

***** ***** *****
Michael D. Parker
General Atomics - EMS
Michael.d.parker@ga.com<mailto:Michael.d.parker@ga.com>  <<<<< NOTE: Remember to \
include my middle initial >>>>> +1 858 964 6675 / Office 86-1319 <<<<< NOTE: New \
Office Location >>>>> 16969 Mesamint Street / San Diego / CA / 92127

************************************************************************
CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the
person(s) to whom it is addressed.  If you are not the intended recipient or the \
agent of the intended recipient or if you are unable to deliver this communication to \
the intended recipient, you must not read, use or disseminate this information.  If \
you have received this communication in error,please advise the sender immediately by \
telephone and delete this messageand any attachments without retaining a copy.
*************************************************************************


____________________________________________________________
sudo-workers mailing list <sudo-workers@sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-workers


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic