On 2 Oct 2002, Michael Lamoureux wrote: But the real answer is: The same way you maintain everything else on the same 4000 machines. I assume if you're running 4000 machines you have some cookie-cutter secured baseline OS load that gets installed on them all when they're loaded, and then something like home-grown perl scripts wrapped around rdist or rsync, or a specific tool for the purpose like cfengine or synctree to push out changes and keep them all under control. I would assume that the sudoers file could be pushed out with the same mechanism. Or am I missing some implied complexity in your situation? If the implication is that you have 4000 one-off machines, I retract my next statement. ;-) I was assuming a more complex configuration than the wide-open one advocated by Barb, which seems to add little to no security benefit. I'm sorry I wasn't clear on this point; of course pushing out a single file to n machines shouldn't be a problem. BTW, I really envy "just me". I have yet to work anywhere where every [insert position here] is actually interchangable. Must be nice. We're talking best practices here, right? matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>