network shared /etc/sudoers

Par Benoît Dejean le jeudi, 15 mai 2008, 10:01 - Lien permanent

sudo

I'd like to use the same/etc/sudoers file for a lot of servers. sudo seems to support this because it has Host_Alias. What's the best way to share the same file ?

the path to /etc/sudoers seems to be hardcoded, so i can't put it on a network fs.
i haven't find any ldap support
scp the file to all the hosts ?

Any experience in that ? Thanks.

Commentaires

1. Le jeudi, 15 mai 2008, 12:09 par Welsh Dwarf

We have the same kind of problem where I work (a web app that needs deploying to 15 servers).

We solved it using rsync over ssh (scp would work for you) and expect to enter the password.

2. Le jeudi, 15 mai 2008, 12:32 par David B.

What about making it a symlink to a file on some shared directory?

3. Le jeudi, 15 mai 2008, 12:41 par Pádraig Brady

You could bind mount /etc/sudoers to your network location (or use a symlink)

4. Le jeudi, 15 mai 2008, 13:14 par Jubal

1) Use something to distribute the sudoers file; cfengine or puppet come to mind first,
2) Store sudo's configuration in LDAP server

I'd advise against any network-based mounts.

5. Le jeudi, 15 mai 2008, 13:18 par Paul Eggleton

Further to Welsh Dwarf's comment above, I would suggest using key-based authentication with ssh rather than passwords. (Just make sure you are protected against Debian's recent ssh key security bug

6. Le jeudi, 15 mai 2008, 14:14 par James Cape

Your (secure) options are effectively:

rsync+cron
LDAP
NFSv4+Kerberos

Every other option is pretty bad, keeping in mind that the file is chmod 600 for a reason.

7. Le jeudi, 15 mai 2008, 14:20 par PvdS

LDAP is the way to go. Here's an howto:

http://fci.wikia.com/wiki/Setting_U...

8. Le jeudi, 15 mai 2008, 15:56 par Benoît Dejean

Very nice howto thanks.

I'll have a look at cfengine/puppet but that may be harder to setup because there are too many different OS to handle. I didn't know of these tools, they look awesome ! Puppet looks much more modern and documented. Thank you very much.

9. Le jeudi, 15 mai 2008, 18:17 par Eric

I've used scp with keys quite successfully for this (and many other things) in the past.

10. Le jeudi, 15 mai 2008, 18:25 par Andrew

Cfengine and Puppet are designed to handle OSes. This is a great way to manage all your machines.

11. Le jeudi, 15 mai 2008, 20:02 par Kyle Ambroff

We deal with a similar issue at my company, only it's more like 6000 servers. I'm not an expert in this arena, but I'm pretty sure our solution involves a shell script that is run nightly via cron. We keep all of the standard configs like ssh, apache, sudoers, /root/.ssh/authorized_keys, etc in a CVS repository. So the script just has to update it's checkout, then rsync it over to /.

12. Le jeudi, 15 mai 2008, 22:59 par Leonid Mamchenkov

One way would be to copy with rsync/scp like other people suggested. Another way is to use a template file to copy around and then generate the actual /etc/sudoers on each machine with a common script, which could do some checks and local substitutions.

13. Le vendredi, 16 mai 2008, 12:31 par ed

csync2 !

Harvard Business School of Echec

network shared /etc/sudoers

Commentaires

S'abonner