HPE Community
Operating System - HP-UX
1825768 Members
2010 Online
109687 Solutions
New Discussion

sudo 1.6.8p9 - want to change sudoers file location

 
SOLVED
Go to solution
S.Rider
Regular Advisor

‎01-04-2006 07:45 AM

‎01-04-2006 07:45 AM

sudo 1.6.8p9 - want to change sudoers file location

When you use sudo 1.6.8p9 from the HP APPS CD, it by default uses /opt/iexpress/sudo/etc/sudoers for the location. We want to change it to a shared NFS filesystems and have a single sudoers file used by the 70+ servers here.
Looks like you have to re-compile it to change this location, can someone confirm that ?
Also, anyone know of any issues having a sudoers file on a NFS mount, besides the obvious issue of the NFS server being down.
Ride Boldly Ride, but watch out for El Dorado's
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

‎01-04-2006 07:57 AM

‎01-04-2006 07:57 AM

Re: sudo 1.6.8p9 - want to change sudoers file location

You could try creating a link from /opt/iexpress/sudo/etc/sudoers to /nfs/mounted/filesystem/sudoers and see if that would work.

If that doesn't work then compiling the package from source is your only other option if you want the sudoers on the NFS mount.

Another option you may be using something like rdist to distribute copies of the sudoers file from a central server to all other servers that need it.

I would lean more towards the rdist process. If the NFS server happened to be down, then sudo would be pretty useless since it wouldn't have access to the sudoers file.
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎01-04-2006 07:59 AM

‎01-04-2006 07:59 AM

Re: sudo 1.6.8p9 - want to change sudoers file location

The path to the sudoers file is determined at compile time. You might be able to use a symlink to point the compiled location to anywhere you like, however. Never tried it and don't know how picky sudo might be about such a configuration.

There shouldn't be a technical issue with having it NFS mounted other than the NFS server failure possibility you mentioned knocking out sudo ability on all servers... and depending whether you're using soft or hard mounts, that potential failure causing hung processes.

From a security perspective, there might be a concern about sudoer configuration being controlled by a sudoers file on another server.
--
Jeff Traigle
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-04-2006 08:25 AM

‎01-04-2006 08:25 AM

Solution

Re: sudo 1.6.8p9 - want to change sudoers file location

We had a sudoers file that was for all systems. In the HOST ALIAS section you can specify the specific hostname to work on.

We kept a master copy of the sudoers file in a central location (that only us sysadms could get to) and when a change was made we would copy it out to all the servers using rdist. Other options are rcp, scp, ftp, etc...

No worry about NFS mounts, no worries about which copy belongs to which server, no worries about compile options for each server, etc...

Reply
Bill Hassell
Honored Contributor

‎01-04-2006 02:27 PM

‎01-04-2006 02:27 PM

Re: sudo 1.6.8p9 - want to change sudoers file location

As critical as sudoers is for a secure system, the last thing I would do is put it on NFS. A network or NFS server problem will then disable 70 machines...not a good design. While no re-compile is needed by using a symlink to point to the NFS point, eavesdroppers and other NFS intrusion techniques can reveal the contents of this file which is not good.

sudoers might be changed an average of once or twice a week so an scp of the file using a central server as the reference machine means that all 70 machines can be updated in less than 1 minute. Like any (good) automated update script, it should check that the updated file was correctly received (correct size and checksum).


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.