suppose mymachine:/etc/sudoers includes the line
joe someremotehost = (ALL) NOPASSWD: ALL
but someremotehost:/etc/sudoers does not say anything special about joe, then what effect does the above line have?
Add a comment
|
3 Answers
In its default configuration, sudo looks in the sudoers file on the local machine (i.e., on the machine upon which it is invoked) to determine what to do - it doesn't contact another host to find out what it would permit, so in this case, the joe someremotehost line on your local machine would not affect the operation of sudo on someremotehost. And since it specifies a hostname restriction, sudo on your local machine would ignore the rule, because the hostname in the config doesn't match the hostname sudo gets from the C library.
The sudoers file syntax allows you to specify hostname restrictions so that managing policy for a large group of hosts is as easy as editing the file in one place, and then pushing it out to all hosts in the administrative domain.
-
1Best to keep
/etc/sudoersuntouched (don't mess uproot) and push-sync a central config folder to/etc/sudoers.d/on every machine, right?arney– arney2013-04-08 19:52:05 +00:00Commented Apr 8, 2013 at 19:52 -
That would mean that keeping the ALL instead of a specific host name makes the sudoers no less secure, if only employed locally on one box, right?humanityANDpeace– humanityANDpeace2016-05-03 06:27:45 +00:00Commented May 3, 2016 at 6:27
Effectively nothing. The file on the remote host is never consulted, but the local file only gives permission on the other host, not on this host.
When using puppet, or sharing the file with many hosts in your network, then the HOST section becomes more relevant.
answered Aug 13, 2016 at 4:04
