Unix Access Management

Specify sudoers files to be managed


Since forever I wish i could specify a path to the sudoers file to be managed by vgptool.

We want to enforce the contents of /etc/sudoers - which we can't if vgptool writes to this file.

We would like to specify in vgptool config a path of /etc/sudoers.d/vgptool which then could be completly managed by vgptool.

The problem we have with the way it is right now is that once a user had root rights he could add his own sudo rules to /etc/sudoers which then won't be purged. Of course it's not allowed to do so - but if you have hundreds of servers and many application owners which can order temporary root rights its better to have things enforced.

If we can manage the /etc/sudoers completly we can enforce the content and vgptool can enforce the content for it's part of the config.

Is this just melooking for such an option?

Right now we're looking into do a ugly workaround by changing the path the vgptool script and adding a visudo wrapper which calls "visudo -f /etc/sudoers.d/vgptool". Works but I really think vgptool should provide the option the specify a path.

- Thomas

No Data
  • Hi Thomas,

    When the policy is actually applied it is actually looking for the visudo command as opposed to the sudoers file itself. While you can change the path to visudo in the GPO itself you are not able to specify the sudoers file directly unfortunately.

    I did see if the GPO would accept something like this however as a test, unfortunately it does not work either;
    /usr/sbin/visudo -f /tmp/sudoers

    When more advanced usage of the sudo setup is required this usually ends up in a discussion about our Privilege Manager for Sudo product. Not sure if that would suit your needs at all but thought it worth mentioning.

    Thank you,
    Leigh Grant
No Data