Sudo rules are utilized for allowing a permitted user to execute a command as the superuser or another user. Sudo is an abbreviation for “substitute user do” (as in, do a command with another user's privileges). The sudo program (e.g., a sudo implementation or any program which allows a command to be executed using another user's privileges) requires that users authenticate themselves with a selected password. Once a user has been authenticated, a timestamp is recorded and the user may then use the sudo program without a password for a selected period of time (e.g., five minutes by default). The sudo program further determines whether the user is authorized to run a sudo command. The sudo program can record both successful and unsuccessful attempts or errors to syslog, a log file, or both.
Sudo rules are typically specified in a configuration file (“sudoers” file), which has to be manually created and updated and has to be read in its entirety each time the sudo program receives a request to execute a sudo command. In addition, sudo rules can be stored in an LDAP directory if a special sudo schema is installed on the LDAP server. However, sudo rule entries conforming to the sudo schema are disjoint from entries of other entities managed by the LDAP directory. For example, LDAP entries for a sudo rule specifying a sudo command that is permitted to be executed by a certain group of users are not linked in any way to LDAP entries including detailed information for the same group of users. A change in this group's membership may result in inconsistent LDAP entries, thereby significantly jeopardizing the reliability of the entire system. LDAP directory servers generally use netgroup entries to group hosts together. The netgroup entries may not provide an efficient method for aggregating hosts. In addition, the relationship between a sudo rule entry and other LDAP entries (e.g., users, groups, etc.) is generally defined by name. If the names of the other LDAP entries are changed, then the rule will not apply to the changed LDAP entries due to the name change. Furthermore, the commands which are executed by the rule are generally specified individually in each rule. For example, if a rule uses five different commands, each of the five different commands must be specified in the rule.