Central Management of Sudoers Policies on Sudo Manager Policy Server

When sudoers policies are uploaded to an Sudo Manager Policy Server, they are stored in a SQLite database in the file and directory specified by sudoersdb settings, and the local sudoers policies on the sudo hosts with Sudo Manager Policy Server are no longer used when running sudo commands on these hosts.

Sudoers policies can be managed from any client or server within the Sudo Manager enterprise. The command line utility can be used directly on an Sudo Manager Policy Server, or the user can specify the --client argument to the pbdbutil --sudo calls to remotely administer the sudo policies.

To manage the sudoers policies, export the file, modify it, and re-import it using pbdbutil --sudo -e and pbdbutil --sudo -i commands.

Export Specified Sudoer Policy File from Database (pbdbutil --sudo -e)

For export, if you use --force option, the target directory structure is created. If you do not want to use force, you can manually create the directories before export.

# pbdbutil --sudo -e sudohost.bt.com@/etc/sudoers --force

If there are multiple versions of a file in the database, an export with -V option checks out the file with specified version:

# pbdbutil --sudo -l -l /etc/sudoers
{"pathname":"sudohost.bt.com@/etc/sudoers","version":1,"tag":null,"deleted":0,"created":"2015-07-07 12:15:47"}
{"pathname":"sudohost.bt.com@/etc/sudoers","version":2,"tag":null,"deleted":0,"created":"2015-07-07 12:26:59"}
# pbdbutil --sudo -e -V "2" sudohost.bt.com@/etc/sudoers --force

Usage of Import (pbdbutil --sudo -i):

# pbdbutil --sudo -i /etc/pbsudoers/sudohost.bt.com/etc/sudoers

For more examples, see Sudo Database Options in the Endpoint Privilege Management for Unix and Linux Administration Guide.