Sudo - how to use the ability to specify the computer name (ip address / network address) on which the command is allowed to run?

D

demsi2015-01-07 18:33:30

linux

demsi, 2015-01-07 18:33:30

Many people are familiar with the sudo program.
We all know that the entry:
user1 HOST=(user2) command
Allows user1 to run the command (script, program) command with the rights of user2 on the computer with the name/ip address/network address HOST
Usually, system administrators do not use HOST and instead write the alias ALL .
So it became interesting and not obvious to me how to use this opportunity.
For example, there are computers Host-A and Host-B .
On Host-A , there is an entry in /etc/sudosers :
user1 Host-B= ALL
It allows the user touser1 run any commands on Host-B as root .
Do I need to somehow configure the sudo program on Host-B to query the /etc/sudoers file from Host-A ?
Has anyone had to put this into practice?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vlad Zhivotnev, 2015-01-07
@demsi

This is necessary for those cases when you have the same sudoers on tens-hundreds-thousands of hosts.
sudo wakes up, thinks "yeah, I'm a host such and such". And it looks to see if this user is allowed to do this here.
Looks at hostname -f usually, emnip.
And one sudoers is easier to roll out through some kind of config management system.

I

Ilya Evseev, 2015-01-07
@IlyaEvseev

If /etc lives on NFS, this is useful.
If on a local disk, then there is no need.

O

oia, 2015-01-07
@oia

Typically, system administrators do not use HOST and write the alias ALL instead.
So it became interesting and not obvious to me how to use this opportunity.

hmm, have you seen such admins?