Harvard Business School of Echec - Tag - sudo - Commentaires

network shared /etc/sudoers - ed

ed — Fri, 16 May 2008 12:31:08 +0200

csync2 !

network shared /etc/sudoers - Leonid Mamchenkov

Leonid Mamchenkov — Thu, 15 May 2008 22:59:16 +0200

One way would be to copy with rsync/scp like other people suggested. Another way is to use a template file to copy around and then generate the actual /etc/sudoers on each machine with a common script, which could do some checks and local substitutions.

network shared /etc/sudoers - Kyle Ambroff

Kyle Ambroff — Thu, 15 May 2008 20:02:41 +0200

We deal with a similar issue at my company, only it's more like 6000 servers. I'm not an expert in this arena, but I'm pretty sure our solution involves a shell script that is run nightly via cron. We keep all of the standard configs like ssh, apache, sudoers, /root/.ssh/authorized_keys, etc in a CVS repository. So the script just has to update it's checkout, then rsync it over to /.

network shared /etc/sudoers - Andrew

Andrew — Thu, 15 May 2008 18:25:29 +0200

Cfengine and Puppet are designed to handle OSes. This is a great way to manage all your machines.

network shared /etc/sudoers - Eric

Eric — Thu, 15 May 2008 18:17:11 +0200

I've used scp with keys quite successfully for this (and many other things) in the past.

network shared /etc/sudoers - Benoît Dejean

Benoît Dejean — Thu, 15 May 2008 15:56:59 +0200

Very nice howto thanks.

I'll have a look at cfengine/puppet but that may be harder to setup because there are too many different OS to handle. I didn't know of these tools, they look awesome ! Puppet looks much more modern and documented. Thank you very much.

network shared /etc/sudoers - PvdS

PvdS — Thu, 15 May 2008 14:20:40 +0200

LDAP is the way to go. Here's an howto:

http://fci.wikia.com/wiki/Setting_U...

network shared /etc/sudoers - James Cape

James Cape — Thu, 15 May 2008 14:14:14 +0200

Your (secure) options are effectively:

rsync+cron
LDAP
NFSv4+Kerberos

Every other option is pretty bad, keeping in mind that the file is chmod 600 for a reason.

network shared /etc/sudoers - Paul Eggleton

Paul Eggleton — Thu, 15 May 2008 13:18:36 +0200

Further to Welsh Dwarf's comment above, I would suggest using key-based authentication with ssh rather than passwords. (Just make sure you are protected against Debian's recent ssh key security bug

network shared /etc/sudoers - Jubal

Jubal — Thu, 15 May 2008 13:14:49 +0200

1) Use something to distribute the sudoers file; cfengine or puppet come to mind first,
2) Store sudo's configuration in LDAP server

I'd advise against any network-based mounts.

network shared /etc/sudoers - Pádraig Brady

Pádraig Brady — Thu, 15 May 2008 12:41:02 +0200

You could bind mount /etc/sudoers to your network location (or use a symlink)

network shared /etc/sudoers - David B.

David B. — Thu, 15 May 2008 12:32:11 +0200

What about making it a symlink to a file on some shared directory?

network shared /etc/sudoers - Welsh Dwarf

Welsh Dwarf — Thu, 15 May 2008 12:09:11 +0200

We have the same kind of problem where I work (a web app that needs deploying to 15 servers).

We solved it using rsync over ssh (scp would work for you) and expect to enter the password.