Host Aliases

an Sudo Manager host alias provides a way to group several hosts that share a common set of sudoers policies. This is not the same as a Sudoers Host_Alias, which is resolved inside a sudoers policy. Rather, an Sudo Manager host alias is used by the Sudo Manager Policy Server to select an appropriate policy by mapping different hostnames to the same arbitrary string.

Host aliases are manipulated using the pbdbutil command on the Sudo Manager Policy Server:

  • To map host names to an alias:
    pbdbutil --sudo -A <ALIAS> <hostnames…>
  • This command can be used to reassign a host to a different alias.

  • To unmap host(s) from an alias:
  • pbdbutil --sudo -X <host_fqdn(s)...>

    When unmapping a host from the alias which provides its policy, Sudo Manager Policy Server will first check its database if there is a policy already associated with the host's fully qualified domain name (FQDN). If it cannot find one, this unmapping command will fail with an error unless you use the --force option.

  • To unmap host(s) from an alias by force:
  • pbdbutil --sudo -X <host_fqdn(s)...> --force

    Use --force with caution. If Sudo Manager Policy Server's database does not have a backup policy associated with the host's FQDN, sudo on that host will not function correctly.

If the intention is to reassign a host with a different alias, use pbdbutil --sudo -A <ALIAS> <hostnames…> directly.

  • To list the alias associated with the current server:
  • pbdbutil --sudo -G
  • To list all known host aliases and the host FQDNs associated with them:
  • pbdbutil --sudo -GG

Sudo policies are stored in a database table that is keyed on path name and version. The version increments whenever a new copy is uploaded. The path name is composed of two parts:

<fqdn>@/<sudoers_path>
  1. The client's fully qualified domain name
  2. The client's default sudoers path (usually /etc/sudoers) as reported by sudo -V
If your sudo Policy Server defines sudoersdir in /etc/pb.settings as /etc/pbsudoers, and your Linux client's name is client0.bt.net, then the pathname to identify its policy is:
client0.bt.net@/etc/sudoers

By default, each new client's policy is uploaded to the sudo Policy Server to a unique path during installation after client registration.

The default sudoers path can vary by host. While it is commonly /etc/sudoers, third-party versions and custom builds may use different paths, like /usr/local/etc/sudoers. Use sudo -V to discover the current path. Each alias should be used only for hosts with the same sudoers path. Hosts with the same sudoers policy but a different sudoers path should use a different alias.

The client governs the right part following the hostname or alias. The pbsudomgr.so plugin defaults to /etc/sudoers on all platforms. Use the sudoers_file plugin argument to specify a different path.

an Endpoint Privilege Management for Unix and Linux Sudo Manager host alias can map several hosts to the same policy by substituting an arbitrary ALIAS for the hostname:

<ALIAS>@/<sudoers_path>

pbsudoinstall can easily create host aliases during installation on sudo hosts. For more information, please see the Sudo Manager Installation Guide.

To implement an alias with policies outside of pbsudoinstall, first create a policy for the alias, then assign hosts to the alias. Do all of this on the sudo Policy Server. This can be done before or after the clients are installed, and reinstallation of the clients is not required.

  1. Determine the sudoersdir path defined in the sudo Policy Server's settings:
    # pbcall -getstringsetting sudoersdir

    We use /etc/pbsudoers in the following steps.

  2. Invent an alias name in all uppercase letters. For simplicity, we use ALIAS.
  3. Determine the default sudoers file path. For familiarity, we use /etc/sudoers.
  4. Create the policy directory and sudoers file.
    # mkdir -p /etc/pbsudoers/ALIAS/etc
    # vi /etc/pbsudoers/ALIAS/etc/sudoers
  5. Verify the policy syntax with visudo, if available.
    # visudo -c -f /etc/pbsudoers/ALIAS/etc/sudoers
  6. Import the policy into the PBDB.
    # pbdbutil --sudo -i /etc/pbsudoers/ALIAS/etc/sudoers
    # pbdbutil --sudo -l
  7. Map clients to the alias.
    # pbdbutil --sudo -A ALIAS <host1> <host2> …
    # pbdbutil --sudo -G ALIAS
  8. Adjust the sudoers_file plugin argument in sudo.conf on all clients, especially those platforms with third-party or custom sudo. For example:
    # grep Plugin /etc/sudo.conf
    Plugin sudoers_policy /usr/lib/beyondtrust/pb/pbsudoers.so sudoers_ file=/etc/sudoers
    Plugin sudoers_io /usr/lib/beyondtrust/pb/pbsudoers.so
  9. Verify the configuration on each client:
    # sudo -V; sudo -l