Hello Everyone,

 

We are facing an issue related with the Sudoers LDAP Backend.

 

We have a LDAP group that should be able to vi, tail and less all the files contained inside /var/log/

We are thinking about using wildcards but it seems that the wildcards that works for suders file does not works when the backend is the LDAP.

 

Eg.

 

dn: cn=%GroupEX,ou=SUDOers,dc=examples,dc=example,dc=com

objectClass: top

objectClass: sudoRole

cn: %Sec_Analysts

description: Security Administrators group sudo rules

sudoCommand: /usr/bin/less /var/log/*

sudoCommand: /usr/bin/tail /var/log/*

sudoCommand: /usr/bin/head /var/log/*

sudoCommand: /usr/bin/vi /var/log/*

sudoCommand: /usr/bin/vim /var/log/*

sudoOption: !authenticate

sudoOrder: 115

sudoRunAsUser: root

sudoUser: %GroupEX

 

 

 

This only works when the user that belongs to GroupEX run the commands as shown:

 

/usr/bin/less /var/log/*

/usr/bin/tail /var/log/*

 

But this does not work when the command is performed as:

/usr/bin/less /var/log/warn

/usr/bin/tail /var/log/warn

 

 

Any ideas?

 

Using ACLs and File permissions are not an option here.

 

Thank you so much.

Regards.

 

 

Dario Garcia
Díaz-Miguel

GGCS-SES Unit

GGCS SKMF Infrastructure Division

GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00

+34 918 07 21 99
www.gmv.com

 

 

 


P Please consider the environment before printing this e-mail.