[BTW, pkg-discuss seems like the wrong list to discuss sudo on. security-discuss and sysadmin-discuss seems more appropriate. For now I'm cc'ing sysadmin-discuss and setting reply-to to keep the thread here.]
On Fri, Jun 06, 2008 at 01:14:52PM -0500, Nicolas Williams wrote: > On Fri, Jun 06, 2008 at 11:07:57AM -0700, Philip Brown wrote: > > With sudo, you can have a single global file across 10 machines, that > > allows > > certain users elevated privileges on 2 out of the 10 machines, without > > changing anything locally on those 2 machines. All 10 machines can be 100% > > identical in other respects. > > > > How can you do that with RBAC? > > You can't do exactly that with RBAC. You have to visit those two > machines. > > I've wondered before about using some of the reserved RBAC format fields > to implement something like netgroup grouping. Also, I would like us to have something like Windows' group policy objects. GPOs provide mechanism for changing user authorizations/ privileges (and other attributes) on a per-host/group of hosts basis. GPO host grouping is a simple alternative to netgroups too, though it is very LDAP-specific. Is there any interest in GPO-like functionality? Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
