[sudo-users] Parsing the sudoers file

Tim Bradshaw tfb at tfeb.org
Tue Sep 17 05:33:13 MDT 2013

On 17 Sep 2013, at 02:21, Matthew Hannigan wrote:

> Try Augeas:
> http://augeas.net/docs/references/lenses/files/sudoers-aug.html
> I see a few bugs pop up from time to time on the augeas mailing list,
> but I think it's pretty solid.

Thanks for this.  I spent some time last night realising there were a lot of edge cases that I did not know how to deal with at all, mostly around continuation lines and comments.  As far as I can see augeas *also* doesn't really know how to deal with these, which reassures me that they are genuinely hard.

Unfortunately you can persuade augeas to generate syntactically illegal files:  If you take a file which contains a comment like

	#this is a comment

and replace the comment string in augtool by, say, "1234", then it will happily dump a file containing "#1234" which sudo will puke at.  This *doesn't* work if you insert a new comment, because it is careful to put a space between the hash and the comment.  There seems to be no way (based on pretty minimal playing with it, so I could easily be wrong) of telling from within augtool whether the comment you are looking at has a leading space: both comment strings are the same.

I should probably report this to the augeas people.

More information about the sudo-users mailing list