Saturday, January 29, 2011

Centralized sudo sudoers file?

I am the admin of several different servers and currently there is a different sudoers file on each one. This is getting slightly out of hand as quite often I need to give someone permissions to do something with sudo but it only gets done on one server. Is there an easy way of editing the sudoers file just on my central server and then distributing it by SFTP or something like that to the other servers in an easy way?

Mostly wondering how other sysadmins solve this problem, since the sudoers file doesn't seem to be remotely accessible with NIS, for example.

Operating system is SUSE Linux Enterprise Server 11 64-bit, but it shouldn't matter.

EDIT: Every machine will, for now, have the same sudoers file.

EDIT2: The accepted answer's comment was the closest to what I actually went ahead and did. I am right now using an SVN-supported puppet-installation and after a few headaches, it's working very well.

From serverfault Stefan Thyberg

  • Step 1. Setup an ldap server and configure all your machines to authenticate users and groups via ldap

    Step 2. Create a master sudoers group in ldap, say yourcompany-sudoers. Give that group permission to sudo (with password) in the /etc/sudoers file on each machine.

    Step 3. Create a sudoers-machinename group in ldap, add that group to /etc/sudoers on the corresponding machine.

    With those three steps you don't need to edit the /etc/sudoers file after the machine is installed and you get a number of other benefits as well

    For extra effect

    Step 4. Setup puppet, cfengine, chef or similar, and deploy a templated sudoers file to each machine automatically.

    wzzrd : I like the puppet part, but as far as the multiple sudoers files stuff is concerned: I'd really stay away from that as far as possible, as it will turn in to a maintenance nightmare real fast. I would suggest creating *one* sudoers file with different options for different machines with the Host_Alias directive, as I suggested below.
    Stefan Thyberg : This is a very good idea, unfortunately I don't want people to be able to sudo just anything at all, only very specific commands. Also, assume that every machine will have the same sudoers and the same commands allowed.
    asdmin : it's a complete overkill to sudo-ldap... for god's sake, sudo _can_ work directly from ldap
    Stefan Thyberg : I didn't do this solution since it would require me to install a new sudo, compiled with ldap-support, for each machine.
    Dave Cheney : Most UNIX's that have pam support can support ldap as an authentication source, so you just need to compile with pam support
    From Dave Cheney

  • Alternatively, you could look into using version control (say git or mercurial) for some of your configuration files in /etc, put the sudoers file under said VCS, then have each machine pull its copy of the common configuration files from the repository.

    Stefan Thyberg : It's a good idea, but unfortunately a time gap is usually unacceptable for the change, it needs to be done as soon as I say the change has been made. I assume you meant to have a cron job running update from the VCS. This also adds some extra problems since the VCS is outside my "realm" of administration and I don't want anyone with access to the repository being able to change this file.
    Ophidian : I believe you could set up check-in event hooks such that the central repo would push changes to other machines, but that would start getting cumbersome as it needed to scale. With a DVCS like Mercurial, I would assume you would have your own repo set up for your administrative work separate from whatever is maintained for development. That way you could host it and lock it down as needed for administrative purposes. The versioning is really just an added bonus.
    Stefan Thyberg : Maybe I will look into this if LDAP-sudo does not pan out.
    From Ophidian

  • /etc/sudoers can also be replaced with calls to a centralized LDAP server directly. All of the permissions and settings you would usually set on the local machine get set in LDAP.

    http://www.gratisoft.us/sudo/man/sudoers.ldap.html

    Mark Farver

    Stefan Thyberg : This is looking like my favorite answer so far, I will be trying this out with one machine to see if it works well.
    From mfarver

  • The absolute last thing I would want to do, is create a separate sudoers file, like Dave suggests. If you have a lot of machines, and only subtle differences apply (as is often the case), you really do not want this. It will generate a lot of overhead.

    What you really want to do, is create one sudoers file. In that sudoers file, you can then define Host_Aliases for groups of systems for which you want a certain policy to apply. You can also make User_Aliases and whatnot. Done right, this gives you a huge benefit by having one file to edit, so it is easy to see what applies where and you don't have to worry about different versions of the sudoers file being deployed on different machines by accident.

    New versions of sudo even support the sudoers.d directory in /etc, which might be of help too, but I haven't tried that yet.

    Stefan Thyberg : Assume that, for now, I want the exact same policy for every machine.
    mfarver : Then the first suggestion to use Puppet is the way to go. This looks like a good getting started guide: http://www.lindstromconsulting.com/node/2 Puppet is incredibly useful, and completely worth the time it takes to figure out and setup.
    Stefan Thyberg : I used this solution with puppet in conjunction with SVN and it works very well so far.
    From wzzrd
Posted by Ku XI at 5:31 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)