LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 04-13-2009, 08:28 PM   #1
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
200+ Systems...how do you centralize sudo?


Hello,

Just curious...

How have you guys solved the "centrally manage" the sudoers file dilemma?

Rsync?
Rdist?
NFS?

I was thinking about using rysnc, but I am curious about how some of you have done it...

-C
 
Old 04-14-2009, 01:21 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
HIIII!!!!1 ME AGAIN!!!!

There are sudoers schema extensions for ldap... not perfect in their implementation, but near perfect in theory.

in fact though, if you don't want sudoers IN ldap, you should still be looking to use centralized groups within sudoers. Never use lists of local users etc, always link to centralized groups and then administer group memberships centrally.

Last edited by acid_kewpie; 04-14-2009 at 02:05 PM.
 
Old 04-14-2009, 01:22 PM   #3
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by custangro View Post
Hello,

Just curious...

How have you guys solved the "centrally manage" the sudoers file dilemma?

Rsync?
Rdist?
NFS?

I was thinking about using rysnc, but I am curious about how some of you have done it...

-C
Rdist was pretty much designed to do exactly what you're looking at doing and it would be relatively easy in the future to add additional files you need to keep sync'd up.

That being said, imho with that many machines a centralized login solution like ldap might be better long term if you have the expertise to implement it (if you're going to go that route for sudors it would make sense to move most of the system files (passwd, groups, shadow, hosts, services, etc) onto ldap too to centralize everything.)

Last edited by rweaver; 04-14-2009 at 01:26 PM.
 
Old 04-14-2009, 01:33 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by acid_kewpie View Post
HIIII!!!!1 ME AGAIN!!!!

There are sudoers schema extensions for ldap... not perfect in their implementation, but near perfect in theory.
Ah...I didn't know that!

Is it a plugin? Where can I read more information about this? Since we are moving out Unix/Linux account to RHDS (actually CDS); it would be GREAT to centrally manage it with LDAP...since I have it in place...

My current plan was just to rdist the file and script the checking of the permissions....

But the LDAP solution _does_ sound better!

-C
 
Old 04-14-2009, 02:12 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
Quote:
Originally Posted by custangro View Post
Ah...I didn't know that!

Is it a plugin? Where can I read more information about this? Since we are moving out Unix/Linux account to RHDS (actually CDS); it would be GREAT to centrally manage it with LDAP...since I have it in place...

My current plan was just to rdist the file and script the checking of the permissions....

But the LDAP solution _does_ sound better!

-C
It's not a plugin, no, and you'd want to understand why it wouldn't be. It's a schema extension, so additional objectClasses and attributes designed to hold the data.

http://www.gratisoft.us/sudo/man/sudoers.ldap.html

LQ been playing around this evening, so not sure if you saw my addition about using ldap groups if not completely ldap.

And once you're its friend, you'll find that most things can go into ldap. You will sounds very very dull when your response to most things is "stick it in ldap"

Last edited by acid_kewpie; 04-14-2009 at 02:18 PM.
 
Old 04-15-2009, 01:38 AM   #6
elcody02
Member
 
Registered: Jun 2007
Posts: 52

Rep: Reputation: 17
You could also think about using a centralized configuration management approach and put the sudo configuration under such a software.

Options might be:

* puppet: http://reductivelabs.com/products/puppet/

* cfengine: http://www.cfengine.org/getstarted.php
 
Old 04-15-2009, 07:18 PM   #7
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by acid_kewpie View Post
It's not a plugin, no, and you'd want to understand why it wouldn't be. It's a schema extension, so additional objectClasses and attributes designed to hold the data.

http://www.gratisoft.us/sudo/man/sudoers.ldap.html

LQ been playing around this evening, so not sure if you saw my addition about using ldap groups if not completely ldap.

And once you're its friend, you'll find that most things can go into ldap. You will sounds very very dull when your response to most things is "stick it in ldap"
I also found this...

http://kbase.redhat.com/faq/docs/DOC-2057

Could that be used?

I'll probably set up a test machine soon to test this out...

Also...is there anything I need to do to sudo to make this work?

-C
 
Old 04-16-2009, 12:59 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
I would think that that is the same as what I originally mentioned. Note that you still need to configure nsswitch.conf etc to permit sudo to go to ldap in the first place. The KB does suggest this might already be patched in the normal sudo version.
 
Old 04-16-2009, 09:53 AM   #9
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by acid_kewpie View Post
I would think that that is the same as what I originally mentioned. Note that you still need to configure nsswitch.conf etc to permit sudo to go to ldap in the first place. The KB does suggest this might already be patched in the normal sudo version.
Thanks acid_kewpie !

Looks like I'll be doing some reading for a while

-C
 
Old 04-17-2009, 11:17 AM   #10
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by custangro View Post
Thanks acid_kewpie !

Looks like I'll be doing some reading for a while

-C
There's a lot of good stuff out there on LDAP and centralizing login services, the only real problem I see on an on-going basis is that a lot of them are incomplete and missing an item here and there.

That's especially true of a lot of the tutorials online I've found that utilize ldap for passwd/group setups.

Good luck!
 
Old 04-17-2009, 12:02 PM   #11
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by rweaver View Post
There's a lot of good stuff out there on LDAP and centralizing login services, the only real problem I see on an on-going basis is that a lot of them are incomplete and missing an item here and there.

That's especially true of a lot of the tutorials online I've found that utilize ldap for passwd/group setups.

Good luck!
That's very true...

I would like to implement sudo within LDAP, but I have a lot of reading and testing ahead of me...

In the mean time I have added a posixGroup called suadmins (for Sudo Admins) and joined users who are to have sudo access to that group...then in the "master" sudoers file I have...

Code:
%suadmins        ALL=(ALL)       ALL
Then rsync them...

Seems to be working ok so far...

But I would really like to implement sudo within LDAP.

-C
 
Old 04-17-2009, 01:26 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
Yeah, that's a great middle ground. A challenge that I've got at the moment, which may well be of concern to you is auditing the use of sudo. as you've got ALL=(ALL) anyone in that group can do anything as root, including opening a shell. Now once that shell is open you will have no audit trail of anythign they do, unlike a normal sudo command which is logged. How do you keep an audit trail? Most feasible way I've seen is to use a tool like rootsh, and only let the admins run that. That way they can get a root shell, without a nasty hack like running "sudo su -" to get to root, and everything they do in that mode is safely logged for inspection. One neat thing I liked doing was to modify the default prompt to say that if there is a $SUDO_USER variable in the environment they are in, then add that to the PS1 as well as the normal, so you have [dave as root@localhost]$ instead, which gives feedback directly to the user, turning root into more of an enhanced mode of themselves, rather than a seperate account.

Might be overkill for you, but maybe not, and I'm still very much trying to suss a nice solution.
 
Old 04-17-2009, 04:20 PM   #13
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by acid_kewpie View Post
Yeah, that's a great middle ground. A challenge that I've got at the moment, which may well be of concern to you is auditing the use of sudo. as you've got ALL=(ALL) anyone in that group can do anything as root, including opening a shell. Now once that shell is open you will have no audit trail of anythign they do, unlike a normal sudo command which is logged. How do you keep an audit trail? Most feasible way I've seen is to use a tool like rootsh, and only let the admins run that. That way they can get a root shell, without a nasty hack like running "sudo su -" to get to root, and everything they do in that mode is safely logged for inspection. One neat thing I liked doing was to modify the default prompt to say that if there is a $SUDO_USER variable in the environment they are in, then add that to the PS1 as well as the normal, so you have [dave as root@localhost]$ instead, which gives feedback directly to the user, turning root into more of an enhanced mode of themselves, rather than a seperate account.

Might be overkill for you, but maybe not, and I'm still very much trying to suss a nice solution.
Very true...

The audit aspect has got me puzzled for the time being...

We have a team of 6 developers so the auditing thing is "not so bad" at the moment...

However, I know that the rsync thing is not a permanent solution (hopefully).
Quote:
One neat thing I liked doing was to modify the default prompt to say that if there is a $SUDO_USER variable in the environment they are in, then add that to the PS1 as well as the normal, so you have [dave as root@localhost]$ instead, which gives feedback directly to the user, turning root into more of an enhanced mode of themselves, rather than a seperate account.
That's not a bad idea...I was thinking about using "!" in the sudoers file...that way they can't "sudo su -"

Hopefully I can integrate this sudo thing soon :-)
 
Old 04-17-2009, 04:54 PM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
in a situation like that, there's always a way to make another shell. a symlink or something to get around it. Nothing's perfect.
 
Old 04-17-2009, 05:19 PM   #15
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,977
Blog Entries: 1

Original Poster
Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by acid_kewpie View Post
Nothing's perfect.
And there is the biggest problem in IT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 07:12 PM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
Best way to centralize authentication in a home network xyphor Linux - Security 3 03-17-2006 10:39 PM
lose 200$ or sace 200! HELP HELP HELP! OMEGA-DOOM Linux - Software 8 10-23-2004 07:47 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 03:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration