[sudo-users] Parsing the sudoers file

Matthew Hannigan mlh at zip.com.au
Mon Sep 16 19:21:26 MDT 2013

Try Augeas:


I see a few bugs pop up from time to time on the augeas mailing list,
but I think it's pretty solid.

On Tue, Sep 17, 2013 at 12:50 AM, Tim Bradshaw <tfb at tfeb.org> wrote:
> I suspect this is a common question: sorry if so.
> I need to be able to parse the sudoers file to generate things like lists of who can do what where, for the usual compliance reasons.
> This seems to be surprisingly hard: there are a couple of scripts out there (one in Perl and one in Python that I have found), but I'm not at all sure I'd trust them to actually get the right answer.  I'm kind of realising that the people I'm doing this for do not care what the right answer is: what matters to people is convincing some auditor *not* actually checking things actually are secure.  But I care.
> The best approach I can see to this would be to modify testsudoers to do this (it currently can take a host argument, I think I need to let this be some kind of wildcard).  I'm still a bit alarmed that, although it uses the same grammar, its check seems to be independent of sudo's, but I may not understand the code.
> But before I do this: does anyone have a better answer?  This must be a common requirement, surely?
> Thanks
> --tim
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

m a t t h e w   l i n u s   h a n n i g a n

More information about the sudo-users mailing list