1

I have used user groups heavily while designing access control policies. I find user groups very convenient as it's very easy to implement with PAM.

Another reason I have organized the users with various groups is to implement (minimal) RBAC. But when I saw the sudoers file (of the company I am working for) I saw that it's consists of various User_Alias instead of using groups. I got the point of using Command_Alias or Host_Alias but my questions are,

  • Why use User_Alias instead of groups?
  • If I want to use group is it good or bad from organizing and security points of view?
arif
  • 1,088
  • 13
  • 24

1 Answers1

2

Using groups for sudoers entries allows you to manage filesystem permissions (which by default are user- and group-based) in the same place as sudo rules. Using User_Alias instead of groups means all aspects of sudo rules are in the same place but makes it more difficult to manage sudo rules in the same space as filesystem permissions. So it's basically a trade-off; neither method is objectively "good" or "bad".

On balance, because my current environment works this way, it seems easier to use groups to manage both sudo rules and filesystem permissions as part of a wider role-based authorization mechanism. Ideally these authorizations would be distributed via a system such as LDAP, and would manage the groups and the sudo rules on all your servers. The security properties of the system would be dictated by the authorization system as a whole, not just your sudoers files.

Mike McManus
  • 1,415
  • 10
  • 17