[sudo-users] Parsing the sudoers file

Tim Bradshaw tfb at tfeb.org
Mon Sep 16 08:50:42 MDT 2013


I suspect this is a common question: sorry if so.

I need to be able to parse the sudoers file to generate things like lists of who can do what where, for the usual compliance reasons.

This seems to be surprisingly hard: there are a couple of scripts out there (one in Perl and one in Python that I have found), but I'm not at all sure I'd trust them to actually get the right answer.  I'm kind of realising that the people I'm doing this for do not care what the right answer is: what matters to people is convincing some auditor *not* actually checking things actually are secure.  But I care.

The best approach I can see to this would be to modify testsudoers to do this (it currently can take a host argument, I think I need to let this be some kind of wildcard).  I'm still a bit alarmed that, although it uses the same grammar, its check seems to be independent of sudo's, but I may not understand the code.

But before I do this: does anyone have a better answer?  This must be a common requirement, surely?

Thanks

--tim





More information about the sudo-users mailing list