On Fri, Jun 6, 2008 at 11:28 PM, Nicolas Williams <[EMAIL PROTECTED]> wrote: > On Fri, Jun 06, 2008 at 11:19:21PM +0530, Moinak Ghosh wrote: >> On Fri, Jun 6, 2008 at 11:09 PM, Philip Brown <[EMAIL PROTECTED]> wrote: >> > I edit ONE file, and add ONE line. >> > done. >> > Also, you can rdist/rsync out a 'global' sudoers file. >> > Simple, yet very flexible. >> > >> > Last time I checked, RBAC was not nearly that simple, and does not lend >> > itself to scalability of administration across multiple machines. It's a >> > very "local-only" solution. sudo is *designed to be* a multiple-machine >> > solution. RBAC does not appear to be so. >> >> That I'd say is a misconception. RBAC is also designed for multiple >> machines. The various configs can be stored in the nameservice database >> and entries in /etc/nsswitch.conf specifies the search order. Somewhat >> more flexible and integrated than using rsync (and of course scalability >> of administration is preserved). > > Solaris RBAC uses the Solaris name service switch. It supports all > backends, including 'files' (local), and even 'ldap'. > > SUDO supports only 'files' (/etc/sudoers) and 'ldap', though, obviously, > in neither case does it go through the name service switch. The sudoers > file format is not as simple to deal with (from an engineer's p.o.v.) as > RBAC's, whereas the SUDO LDAP schema probably is. > > It may be useful to consider adding support to Solaris RBAC for mapping > sudoers and SUDO LDAP schema onto RBAC concepts. I'm not sure how best > to do this. And keep in mind that there are some impedance mismatches > (e.g., SUDO supports command-line glob pattern matching, whereas RBAC > does not yet) that may have to be smoothed over first. > > Alternatively (or additionally) and this may be lots easier, we could > add Solaris RBAC support to SUDO, so that you get sudoers/LDAP + RBAC > through SUDO.
To my knowledge this is being worked on between Darren Moffat and the sudo author. However it is always nice to have easy interfaces for the native tools/features in addition to a roundabout route via an external utility. Regards, Moinak. > > Nico > -- > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
