visudo enhancement to edit-syntax-check arbitrary files
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Fri Dec 14 09:52:14 EST 2001
> From: Bob Proulx <rwp at hprwp.fc.hp.com>
> Subject: visudo enhancement to edit-syntax-check arbitrary files
> To: sudo-workers at courtesan.com
>
> Proposal: Add an option to visudo to allow it to edit and thereby
> syntax check arbitrary files.
>
> The visudo command is great for many system configurations. But it
> does not work well for us. Let me explain. Here we try to use an
> infrastructure where configuration management is done on files such as
> /etc/sudoers. The goal is to administer a network of machines as a
> group and not a group of individual machines which are all uniquely
> different. The desired process is to make changes and check them into
> revision control and then the distribution to the network of client
> hosts is from revision control. This way all changes can be reverted
> in the case of problems.
>
> This works well except that *if* no syntax checking is done on the
> sudoers file before it is checked into revision control then it can be
> distributed with broken syntax. Unfortunately the visudo command only
> edits the system live /etc/sudoers file. And in order to use it we
> need root capability and we need to change local system file first.
> Neither of which were really what I wanted. Even though I am root on
> thousands of machines I try to operate as non-root when not needed.
> And besides, if all of the changes in the revision control logs are
> done as root it hides who was really making what changes.
>
> Therefore I modified the visudo program to be able to edit and syntax
> check any arbitrary file given on the command line. This allows the
> sudoers file to be edited and prepared offline prior to revision
> control check-in and subsequent distribution. It guards against
> mistakes as the visudo program was designed to do.
>
> In order to make this proposal concrete I am including my changes
> against the 1.6.3p6 visudo.c file for review. It would be most kind
> of you to include this or similar capability in a future release of
> sudo. If response is favorable I can include man page and usage
> string updates. Discussion of /etc/sudoers configuration management
> best practices is also appreciated.
>
> Thanks
> Bob
FYI FWIW: We have a similar setup as Bob (no surprise since we
are a big company too) and we actually "cheated" and add a few
lines of code to the sudo source to change the location of the
sudoers to our "master location" which is then subsequently
rdisted out all over creation. But having this functionality
built-in to sudo would be better as I like to minimize changes
to the source code as much as possible.
So just another "vote" for this feature and it sounds like
Todd allready has implemented this for us - thanx! ;-)
alek
P.S. If I could add two more X-mas wish items that I have to tweek locally:
- I enable insults but there is a line in ins_classic.h that I
have to change because of possible racial overtones - instead it's:
"And you call yourself a Rocket Scientist!"
which is very appropriate for where I work ... ;-)
- The Makefile is created with "-g" ... I would suggest that this
NOT be the default in the distribution (although I realize this
makes it easier for Todd with his development work).
PPS. And if you'd like to see 16,000+ Xmas lights, check this out:
http://www.komar.org/xmas/
More information about the sudo-workers
mailing list