[sudo-users] Parsing the sudoers file

Tim Bradshaw tfb at tfeb.org
Mon Sep 16 10:03:29 MDT 2013

Thanks for the comments so far.

On 16 Sep 2013, at 16:23, Shawn McMahon wrote:
> I've never been happy with the output of any script I've used for this.
> Generally I just use "sudo -U <user> -ll" and send the auditors that,
> for whichever user they're taking issue with.

The problem with that is that it answers the question on the current host, for users which exist on the current host only, and we need some kind of table of who can do what on all the hosts.

I think I've convinced myself that I don't want to change testsudoers since that will, I think, involve changing things that sudo itself uses, and no-one should take my changes to that, and I don't want to maintain my own version for obvious reasons!

So what I think I'm going to try is either:

Write a parser I am sure is correct for a subset of sudoers, and make sure it violently refuses anything outside the subset it understands.  Then write something that walks the resulting tree.

Or write something which will extract all the named hosts from sudoers, and then use the sudo -U ... -h ... -l thing Todd suggested.

I think the second thing might be the same as the first, almost (since whatever extracts the hosts needs to be sure it actually has found them all).


More information about the sudo-users mailing list