The grants file

The grants file should contain a list of lines with 2 colon-separated fields:

<rule label or rule alias> : <host or host alias>

Aliases may present a grouping of names and start with an ‘@’ (Perl array syntax), otherwise singular names should be used. The host alias and account alias fields may contain a list comma-separated singular names or aliases. Rule label(s) should match the name of sudo rule files (in fragments.d/*)

Lines prefixed by ‘#’ are considered comment lines and are ignored during processing.

Examples:

admin_root  	: 	foo1,foo2

→ assigns the SUDO rules stored in the admin_root file onto hosts foo1 & foo2

@basic_sudo    	: 	@dev_hosts

→ assigns the SUDO rules stored in the files that are part of the basic_sudo group on all hosts in the dev_hosts group

The alias file

The alias file should contain a list of lines with 2 colon-separated fields:

<alias identifier> : <alias member 1>, <alias member 2>, …

Alias identifiers should always start with an ‘@’ (Perl array syntax) to indicate their grouping status. Alias members may be an alias (groups) themselves (max. nesting of 5 levels deep). All aliases should unique across the entire SUDO Controls namespace.

Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.

Examples:

@dev_hosts	   :	foo1,foo2

→ means the dev_hosts group contains items foo1 & foo2. In this case they would represent a group of servers.

@basic_sudo    	   : 	job_init,backup_init

→ means the basic_sudo group contains the SUDO rules contained in the job_init and backup_init files.

The targets file

The targets file should contain a list of host names **and/or @alias names**, one per line.

Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.

The fragments file(s)

The fragment file(s) should contain valid SUDOers code.

You may choose between storing the rules in a single file (i.e. the fragments file) OR in individual files locating in a fragments.d directory):

  1. A fragments file:
[master:/etc/sudo_master]$ ls -l fragments
-rw-r--r--    1 sudoadmin     sudoadmin        97344 Mar 29 10:57 fragments

[master:/etc/sudo_controls]$ cat fragments

# root_netstat
%users ALL=(root) NOPASSWD: /bin/netstat
  1. A fragments.d directory:
[master:/etc/sudo_master]$ ls -l fragments.d/*
-rw-r--r--    1 sudoadmin     sudoadmin        367 Mar 29 10:57 root_netstat
-rw-r--r--    1 sudoadmin     sudoadmin        372 Mar 29 10:57 root_lsof
-rw-r--r--    1 sudoadmin     sudoadmin        429 Mar 29 10:57 root_start_backup

Note that the individual files inside the fragments.d directory may themselves also contain multiple SUDO rules. This allows for rule grouping. Fragment files may have an optional file extension, e.g. test_rule.frag

Note: please do not use rule labels with spaces (use underscores instead).

Updated:

Leave a comment