[sudo-users] Editing sudoers from python

Bob Proulx bob at proulx.com
Tue Oct 10 11:10:49 EDT 2006 

Marcus Dean Adams wrote:
> I'm currently working on a python project, and it involves compiling
> software and to make sure the user can run the compiled software, I need
> to make sure that 'make' is ran as that user, so I'm revising my
> installer bash script and just sticking sudo in everywhere that root
> permissions would be needed,

Ew...  That triggers alarm bells in my head.  I really don't think you
want to do that.  Or rather I know that *I* would not want you to do
that.  :-)

Wouldn't it be better to do the normal thing and have the user build
the software as themselves and then only if the installation requires
root have the user use sudo to install it?  Different systems have
different needs and some need root and some do not.

  tar xzvf some-python-X.Y.tar.gz
  cd some-python-X.Y
  python ./setup.py install --prefix=/usr/local

For me on my system that works and I do not need root (nor sudo) in
that situation.  (Debian uses group 'staff' to maintain the /usr/local
tree as a group writable hierarchy.  Root is not needed.  It's very
nice that way.)

However on a Red Hat system where root is required then the following
is the normal way.

  tar xzvf some-python-X.Y.tar.gz
  cd some-python-X.Y
  sudo python ./setup.py install --prefix=/usr/local

Could help us understand your situation and say a few words about why
you want to build the sudo into your project instead of allowing it at
the user level?

> but here's my question.  I'd never used sudo until now, I'd always
> just became root directly with "su", and when I tried running it I
> noticed that by default, I wasn't a member of sudoers, and I had to
> add myself and I figured if I had the problem other people will too.

That is really a system setup question.  For example I know that the
most system installers ask at installation time to create a user
account.  If you do then that account will automatically be configured
with full sudo access on the machine.  If you bypass that question at
installation time and later log in as root and create a new user then
it is up to you whether you configure that user in the sudoers file.

> My question is, is it possible to import and edit /etc/sudoers like
> a normal text file with python, or do you really "have" to use
> visudo?

The /etc/sudoers file is just a file like any other.  You can edit it
or drop replacement files into place and the sudo command won't know
the difference.  I have several thousand systems I maintain and I
automate the configuration of that file.

Hint: The 'visudo -c -s -f SOMEFILE' options are most useful when
doing automated editing to ensure that the resulting file is correct
before putting it in place.

> I noticed it won't accept changes from any other regular
> text editor such as gedit,

The man page for visudo documents:

       There is a hard-coded list of editors that visudo will use set
       at compile-time that may be overridden via the editor sudoers
       Default variable.  This list defaults to the path to vi(1) on
       your system, as determined by the configure script.  Normally,
       visudo does not honor the VISUAL or EDITOR environment
       variables unless they contain an editor in the aforementioned
       editors list.  However, if visudo is configured with the
       --with-enveditor flag or the enveditor Default variable is set
       in sudoers, visudo will use any the editor defines by VISUAL or
       EDITOR.  Note that this can be a security hole since it allows
       the user to execute any program they wish simply by setting
       VISUAL or EDITOR.

> but if I could somehow automate the process of giving the current
> user permission to run sudo with this python script, it would be
> really handy.

That can't happen.  Only the root user can modify the system sudoers
file.  Otherwise the system would have a root security vulnerability.
If any user could simply add themselves to the sudoers configuration
then every user would be root capable.

If you are root then you can modify the sudoers file.  But then you
don't need the sudo command either because you are already root.

> It would make things a lot easier than trying to explain using
> visudo, I want this installer I'm writing to be as hands-off as
> possible.

Unless you are building an Anaconda-like installer (Anaconda is the RH
installer program written in python) I think you should not touch the
system sudoer's file.

I don't know anything about your project except that it is something
that uses python but just from what I have read so far I think you are
trying to do too much.

Bob

More information about the sudo-users mailing list