Web Based Configuring
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Thu Jan 18 09:28:34 EST 2001
I probably should not have used the word "correctness" below;
visudo does a pretty nice job of that. sudoers-lint is more a
tool to see if you have any "stale/orphaned" information in
your sudoers file that (while syntactically correct), is not used.
And since it generates a list of users, hosts, and netgroups;
it is easy to compare that what you have at your site and see
if you have an entry that is no longer valid.
Admins at large sites are probably shaking their heads in agreement
with this ... unfortunately, entropy is a continual problem as stuff
tends to the maximum state of disorder ... so if you have hundreds
of lines in your sudoers file, it's easy to forget to remove stuff
which is no longer used/valid.
I've attached below the "help/usage" paragraph from sudoers-lint;
pretty darn easy to use ... download it and try it!
P.S. There is also a utility included called "sudo-usage" which parses
the sudolog file and generates various stats ... again, this is helpful
for summerizing what folks are up to, etc.
PPS. Sorry, no "clown" available with these tools! ;-) ;-) ;-)
sudoers-lint is a simple/quick-n-dirty tool to parse through the sudoers
file and list all of the commands, groups, hosts, netgroups, and users.
Syntactically, some of these can be defined in different ways/places;
so this is an approach to get a simple list. It will also do some misc.
sanity checks to see if you "orphaned" anything - i.e. did you define
an Alias but never use it. Here is the syntax for sudoers-lint:
sudoers-lint [options - see below] < path-to-sudoers file
-all List EVERYTHING
-list_commands List commands
-list_groups List groups
-list_hosts List hosts
-list_netgroups List netgroups
-list_users List users
> From: mackay at kodak.com
> Subject: Re: Web Based Configuring
> To: sudo-users at courtesan.com
> From: Scott D. MacKay
> Oh, but I want a nice windowed system with pull down menus and a little
> clown that will show me where to click! :)
> Heh. I will probably check this page out, but in a nutshell what does it
> do over 'visudo' which I though did some linting of its own?
> An app I would like to see is a 'sudoers2english' app; something which
> scanned a sudoers file and said in plain <insert your langauge here> what
> the individual rules actually meant. This would help, IMHO, both newbies
> and more experienced admins really understand what access they are
> FYI FWIW: there is a program called sudoers-lint (I wrote it! ;-) which
> checks the sudoers for "correctness" and stale information. There's a link
> to it from the sudo home page or you can get it directly from:
> http://www.komar.org/ -> Misc. Tech Stuff -> sudo-tools
More information about the sudo-users