[sudo-users] Reporting on Sudoers Entries

Steve Bonds gs446vubhp at snkmail.com
Fri Mar 23 18:45:23 EDT 2012

I work in an environment with a hideously complex sudoers file.  While
it's nice to have all the access recorded in one place, that one place
is a bit of a mess having grown organically for over 10 years.

We're trying to clean up that mess, but in order to find ways to
simplify it, I have to answer the question "well, what access do we
have now?"  This simple question can be very hard to answer when
there's multiple nested Host_Alias entries, User_Aliases, and
Cmnd_Aliases or the same access is implemented ten different ways,
based on the whims of sysadmins long gone.

The ever-so-handy "sudo -l" is great for individual users on
individual hosts.  However, what if I want to find out what "sudo -l"
would report for any arbitrary host?  Do I need to go log into all of
them?  What about for any arbitrary user?  Do I need to try every
possible user on every possible host via separate "sudo -l" commands?
The man page of the current development release (1.8.5b2) just says
"on the current host", but I'm hoping there might be a way to ask it
about other hosts.

Is there a way to have sudo check "-l -U <user>" style and fool it
into thinking it's on a different host?

Is there a way to have sudo list the users that are mentioned in
aliases that would have commands on a given host?

Thanks for any help,

  -- Steve Bonds

More information about the sudo-users mailing list