[sudo-users] Reporting on Sudoers Entries
Steve Bonds
gs446vubhp at snkmail.com
Fri Mar 23 18:45:23 EDT 2012
I work in an environment with a hideously complex sudoers file. While
it's nice to have all the access recorded in one place, that one place
is a bit of a mess having grown organically for over 10 years.
We're trying to clean up that mess, but in order to find ways to
simplify it, I have to answer the question "well, what access do we
have now?" This simple question can be very hard to answer when
there's multiple nested Host_Alias entries, User_Aliases, and
Cmnd_Aliases or the same access is implemented ten different ways,
based on the whims of sysadmins long gone.
The ever-so-handy "sudo -l" is great for individual users on
individual hosts. However, what if I want to find out what "sudo -l"
would report for any arbitrary host? Do I need to go log into all of
them? What about for any arbitrary user? Do I need to try every
possible user on every possible host via separate "sudo -l" commands?
The man page of the current development release (1.8.5b2) just says
"on the current host", but I'm hoping there might be a way to ask it
about other hosts.
Is there a way to have sudo check "-l -U <user>" style and fool it
into thinking it's on a different host?
Is there a way to have sudo list the users that are mentioned in
aliases that would have commands on a given host?
Thanks for any help,
-- Steve Bonds
More information about the sudo-users
mailing list