On Fri, Jun 6, 2008 at 3:19 PM, Nicolas Williams <[EMAIL PROTECTED]> wrote: >> I've wondered before about using some of the reserved RBAC format fields >> to implement something like netgroup grouping. > > Also, I would like us to have something like Windows' group policy > objects. GPOs provide mechanism for changing user authorizations/ > privileges (and other attributes) on a per-host/group of hosts basis. > GPO host grouping is a simple alternative to netgroups too, though it is > very LDAP-specific. > > Is there any interest in GPO-like functionality?
>From your description, it sounds like something that is worth pursuing. My primary argument for sudo boils down to the fact that rbac has no notion that machines have roles. That is, dba's should be able to do magical things an on database server but not on a web server. Similarly, someone from the web deployment team should not be able to control SAN-based copies of databases or backup jobs. With sudo, I can create netgroups of web servers, app servers, database servers, and corresponding netgroups or groups of users. It is easy - with no per-host customization - to ensure that everyone has the access they need. Most times when a person or a machine comes or goes I do not have to touch the sudoers file. The same mechanisms that are used for controlling login access, limiting which hosts can talk to the ftp server, etc. also control the privilege escalation mechanism. My secondary argument for sudo is that it allows me to limit the command line options that are used. For example, with rbac I can say that bob can run rm as webservd (or root, or...). With sudo I can say that bob (or all webdudes) can use rm as webservd (or root, or ...) to delete files under /var/website/oldjunk (but only on the web servers). -- Mike Gerdts http://mgerdts.blogspot.com/ _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
