[Andreas B. Mundt] > A Role contains: > -users or groups this role applies to > -allowed commands > -machine(s) the role applies to > -and the userID the commands are executed as
How are machines the role applies to detected? If it uses hostname, it is unlikely to work on roaming machines, which might change hostname when they move around. I suspect we instead want to add sudo rules per machine (as in /etc/sudoers) for some groups (like the admin group) and those allowed to become root on a given machine. This way we can control sudo access via LDAP, but then using group membership. Say something like this: +admin ALL=(ALL) ALL +host-<hostname>-admin ALL=(ALL) ALL This way the users listed as members of the admin and host-<hostname>-admin netgroup are given sudo privileges on the given machine. Unfortunately, nscd do not cache netgroups, so it might be better to use file groups instead, but then we can't use as long user names and run into the problem with 16 group limit in the NFS protocol. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
