Centralised Sudo

GreenHell · 29-11-2007 11:11am #1

Hey guys,

Looking to create a centralised sudoers file for a good few RHEL machines. The one option I am looking at is

Using an nfs share, problem is that I need to point sudo to the new sudoers file on /usr/local, instead of /etc/sudoers, any solutions welcome.

If anyone can think of a better way, would be glad to hear it.

Thanks!

feylya · 29-11-2007 11:12am

What about replacing /etc/sudoers with a link to /usr/local?

GreenHell · 29-11-2007 11:19am

Tried that, didn't like it one bit.

Khannie · 30-11-2007 11:27am

I'd say sudo is (correctly) set up to piss in its knickers if the file is a link.

Off the top of my head you could:
- edit: just thought of this one, but it's probably easiest: have a cron on each box that copies the sudoers file from /usr/local... to /etc if it changes.
- compile your own hacked version of sudo which points to a different file than /etc/sudoers (this could be a makefile option)
- mount a "bind" in fstab for /etc that points to another directory on the hdd somewhere which has a soft link to sudoers. This may not work either.
- have a cron on a central server that scp's / rsync's out a central sudoers file every time there's a change

I'd probably go with options 3, then 1, then 2 myself depending on your requirements. edit: that was written when option 1 didn't exist.

cmo · 30-11-2007 8:32pm

GreenHell wrote: »

Hey guys,

Looking to create a centralised sudoers file for a good few RHEL machines. The one option I am looking at is

Using an nfs share, problem is that I need to point sudo to the new sudoers file on /usr/local, instead of /etc/sudoers, any solutions welcome.

If anyone can think of a better way, would be glad to hear it.

Thanks!

Use cfengine to keep them all up to date... you could have different sudoers then for all the groups etc. Like web/db and so on.

Why does it need to be in /usr/local ? or is that top secret?

GreenHell · 03-12-2007 4:16pm

No particular reason..

I shall read up on this cfengine, thanks for all your suggestions.

cmo · 04-12-2007 9:56am

GreenHell wrote: »

No particular reason..

I shall read up on this cfengine, thanks for all your suggestions.

ah right, ya best to try cfengine in that case, its a bit strange to get used to, but once its up and running it works great, you can use it to distribute the file to all the machines you want by having them in groups. It can distribute all sorts of files including app files if you want. You can also manually update machines using it so the sudoers on one box doesnt get updated unless you really want it to.

Best of luck!

Red Alert · 04-12-2007 10:46pm

Sudo might possibly have LDAP support if you're using that?

djmarkus · 05-12-2007 12:35pm

use LDAP and a wheel group

GreenHell · 06-12-2007 12:00am

Yea, some work has been done by other people on using LDAP, to be honest I'm not that up to speed on LDAP, my networking is not the strongest at the moment.

By work been done, some people have gone "hey why don't we use ldap!" a while back.

If got any specifics that'd be great.

Thanks

Centralised Sudo

Comments