danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Fedora 17 New Security Feature part V - sudo can now use sssd for authorization data (sudoers)
danwalsh
Currently sudo can be configure to read the /etc/sudoers file locally or to look it up via sudoers content via LDAP.  The LDAP server provides a useful feature for organizations  which wanted to centralize authorization data. 

But, as in all types of centralized authorization/authentications systems, it does not work well when your machine is disconnected
from the network.

sssd - System Security Services Daemon to the rescue.

sssd was added to Fedora a few releases ago, as I blogged about back in March 2011.

One of the biggest benefits of sssd is that it allows for disconnected access to cached authorization/authentication data. 
A new feature in Fedora 17 adds sssd as a source for sudoers data.

The benefits of this integration as described on the feature page are:

  • offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
  • unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
  • sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
  • only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
And from an SELinux point of view one less network access for the sudoers application.
  • caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
  • back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently
Imagine if sssd and IPA could eventually cache SELinux Roles/Confined Users, maybe sometime in the not too distant future ...

You are viewing danwalsh