On Mon, 2014-08-11 at 21:46 +0200, Jakub Hrozek wrote:
On Mon, Aug 11, 2014 at 12:28:33PM -0700, Michichael Folfsunè wrote:
> >Anyway, this discussion started as a thread about mapping sudo to either
> >InteractiveLogonRight or RemoteLogonRight. It sounds to me that
> >Michichael and Simo are for moving sudo to the Remote bucked. Is that
> >right?
>
> Negative - we're for removing it from GPO checks entirely.
Umm I guess this /is/ technically doable although we would need to
document the special case very carefully. Also, any custom PAM service
built around sudo (one that would maybe include sudo) would break, so
proper documentation is really paramount.
I've also reached out to the sudo maintainer to gather his view on sudo
calling the account PAM phase to make sure we're not missing something.
We need a local mapping mechanism that admins can optionally change.
Known PAM services should have a default if no explicit mapping is done.
Mapping can override known PAM services or add new PAM services
mappings.
Mappings would be like:
login -> InteractiveLoginRight
etc..
however sudo would be:
sudo -> @Allow
Simo.
--
Simo Sorce * Red Hat, Inc * New York