Bug 815 – dynamic filters on LDAP rules

Bug 815 - dynamic filters on LDAP rules


Summary:	dynamic filters on LDAP rules

Status:	NEW

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.21
Hardware:	All All

Importance:	low enhancement
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-06 18:49 MST by Daniele Palumbo
Modified:	2017-12-06 18:49 MST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniele Palumbo 2017-12-06 18:49:09 MST

Currently any LDAP rule will be applied without any filter to all of the host that Sudo is able to lookup.

It would be very useful to add dynamic filters directly into LDAP.

In example, 
uname -s
output.

In a complex environment, this would really be effective in segregating the environments.

To make a quick example:
sudoFilter: "/usr/local/bin/customcommand"
Which will be applied if exit code is 0, otherwise will not be applied.

Or

sudoFilter: "$(uname -s) == Linux"

This will allow a certain rule to be applied only on Linux AND/OR Solaris AND/OR AIX, ...

The best would be:
sudoFilter: "$(uname -s) == Linux AND $(uname -r|sed -e 's/\.//g'|cut -d "-" -f 1) >= 3160"

In this case, also the syntax has to be defined.