On Fri, Jun 06, 2008 at 11:19:21PM +0530, Moinak Ghosh wrote: > On Fri, Jun 6, 2008 at 11:09 PM, Philip Brown <[EMAIL PROTECTED]> wrote: > > I edit ONE file, and add ONE line. > > done. > > Also, you can rdist/rsync out a 'global' sudoers file. > > Simple, yet very flexible. > > > > Last time I checked, RBAC was not nearly that simple, and does not lend > > itself to scalability of administration across multiple machines. It's a > > very "local-only" solution. sudo is *designed to be* a multiple-machine > > solution. RBAC does not appear to be so. > > That I'd say is a misconception. RBAC is also designed for multiple > machines. The various configs can be stored in the nameservice database > and entries in /etc/nsswitch.conf specifies the search order. Somewhat > more flexible and integrated than using rsync (and of course scalability > of administration is preserved).
Solaris RBAC uses the Solaris name service switch. It supports all backends, including 'files' (local), and even 'ldap'. SUDO supports only 'files' (/etc/sudoers) and 'ldap', though, obviously, in neither case does it go through the name service switch. The sudoers file format is not as simple to deal with (from an engineer's p.o.v.) as RBAC's, whereas the SUDO LDAP schema probably is. It may be useful to consider adding support to Solaris RBAC for mapping sudoers and SUDO LDAP schema onto RBAC concepts. I'm not sure how best to do this. And keep in mind that there are some impedance mismatches (e.g., SUDO supports command-line glob pattern matching, whereas RBAC does not yet) that may have to be smoothed over first. Alternatively (or additionally) and this may be lots easier, we could add Solaris RBAC support to SUDO, so that you get sudoers/LDAP + RBAC through SUDO. Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
