On Fri 31 Mar 2023 09:41:16 +0200, Marc Haber wrote:
> Please add your reasons to this bug, so that the sudo maintainers can
> properly consider the reasons in their decision.
I personally DON'T need sudo-ldap anymore.
1. I ran sudo-ldap + slapd on an Ubuntu 10.04 farm until 2022.
It was mainly for things like "sudo eject" (back when blank CDs were
expensive, and HAL was still a thing) and
"sudo ldapadduser" (to let managers onboard staff & create mailing lists
without sysadmin help).
I was planning to replace it with a "pure" samba AD stack, but the
Windows-iness just got Too Hard, so
I ended up going back to plain /etc/shadow and /etc/sudoers.d, now managed
by ansible.
2. I set up sssd in 2022 at another site, on SLES 12, aimed at a Windows AD
stack.
I wasn't allowed to use sssd for sudo, though, so that site is still using
sudoers.d (also via ansible).
It wasn't clear if sssd-sudo required me to add additional schemata to AD,
like sudoers-ldap does.
If NOT, that would definitely be an advantage for sssd-ldap over sudo-ldap
:-)
3. I run de Jong's libnss-ldapd / libpam-ldapd at another site, and it works
well there, but again,
the sudo rules are simple enough they get hard-coded into sudoers.d.
I like https://manpages.debian.org/slapo-ppolicy.
4. For automated machine-to-machine jobs (e.g. zfs send/receive) I prefer to
skip sudo altogether.
For example, I now use https://manpages.debian.org/zfs-allow to let a
non-root system user
"zfs-receive-trinity" have permission to mess with ZFS dataset
"morpheus/srv/backup/trinity".
I've been thinking about https://archive.org/details/lca2020-Zero_Trust_SSH
but
right now I'm still just using Ed25519 keypairs for everything.
5. One thing I do really appreciate is that the sudoers.ldap objects
are MUCH easier to understand than an equivalent sudoers.d config file.
dn: cn=responsible,ou=groups,o=cyber
objectClass: posixGroup
description: Staff responsible for OUR systems and networks.
description: I often reflect that if "privileges" had been called
"responsibilities" or "duties", I would have saved thousands of hours
explaining to people why they were only gonna get them over my dead body. --
Lee K. Gleason, VMS sysadmin
gidNumber: 2049
memberUID: twb
memberUID: REDACTED
dn: cn=defaults,ou=sudoers,o=cyber
objectClass: sudoRole
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: ignore_dot
sudoOption: ignore_local_sudoers
sudoOption: insults
sudoOption: !setenv
sudoOption: set_logname
dn: cn=%responsible,ou=sudoers,o=cyber
objectClass: sudoRole
sudoUser: %responsible
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOption: !authenticate
dn: cn=bbq,ou=sudoers,o=cyber
description: Staff need this to burn CDs and DVDs on BBQ.
objectClass: sudoRole
sudoUser: %cyber
sudoHost: bbq
sudoRunAsUser:
sudoRunAsGroup: cdrom
sudoCommand: /usr/bin/wodim
sudoCommand: /usr/bin/cdrecord
sudoOption: noexec
When I read an /etc/sudoers.d/ugh.conf I often start by reading
https://manpages.debian.org/sudoers.ldap just so I don't go mad.
If sudo could have the sudo-ldap format in flat file, I'd be happier.
At least in cases when I have more than "%sudo (ALL:ALL) NOPASSWD: ALL".
As an analogy, consider how much nicer it is now we can use
/etc/apt/sources.list.d/debian.sources (deb822 format)
instead of the old
/etc/apt/sources.list.d/debian.list(legacy format)