Chris wrote:
> ...
> user server = NOPASSWD: /sbin/mount, /usr/libexec/locate.updatedb
I might suggest using groups rather than individual users in sudoers.
On the small scale both are about the same, but using groups scales
better (both time and quantity).
So the above could be for the group ejanitor:
%ejanitor server = NOPASSWD: /sbin/mount, /usr/libexec/locate.updatedb
%maintainer ALL = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
%web ALL = (ALL) /usr/sbin/apache2ctl [a-z]*
(Note: double-check the above before trying yourself.)
> But it seems like a lot of work as I have around 30 servers
then the same configuration could be spread around the 30-odd servers
and you just have to adjust which users are members of the appropriate group
also take a look at host aliases:
http://www.openbsd.org/cgi-bin/man.cgi?query=sudoers#EXAMPLES
> and not all servers require the exact same command.
Please give a little more detail. Are these all variations of mount and
locate.updatedb? Or do you mean a small random handful of commands?
> Is there any easier and secure way of populating the sudoers files?
Using groups to grant privileges to users and using host aliases to
apply those privileges to specific servers?
Regards
-Lars
