Central management of sudoers policies

When sudoers policies are uploaded to a Sudo Manager Policy Server, they are stored in a SQLite database in the file and directory specified by sudoersdb settings, and the local sudoers policies on the sudo hosts with Sudo Manager Policy Server are no longer used when running sudo commands on these hosts.

Sudoers policies can be managed from any client or server within the Sudo Manager enterprise. The command line utility can be used directly on an Sudo Manager Policy Server, or the user can specify the --client argument to the pbdbutil --sudo calls to remotely administer the sudo policies.

To manage the sudoers policies, export the file, modify it, and re-import it using pbdbutil --sudo -e and pbdbutil --sudo -i commands.

Export sudoer policy file from database (pbdbutil --sudo -e)

ℹ️

Note

For export, if you use --force option, the target directory structure is created. If you do not want to use force, you can manually create the directories before export.

# pbdbutil --sudo -e sudohost.bt.com@/etc/sudoers --force

If there are multiple versions of a file in the database, an export with -V option checks out the file with specified version:

# pbdbutil --sudo -l -l /etc/sudoers
{"pathname":"sudohost.bt.com@/etc/sudoers","version":1,"tag":null,"deleted":0,"created":"2015-07-07 12:15:47"}
{"pathname":"sudohost.bt.com@/etc/sudoers","version":2,"tag":null,"deleted":0,"created":"2015-07-07 12:26:59"}
# pbdbutil --sudo -e -V "2" sudohost.bt.com@/etc/sudoers --force

Example

Usage of Import (pbdbutil --sudo -i):

# pbdbutil --sudo -i /etc/pbsudoers/sudohost.bt.com/etc/sudoers