[sudo-users] JSON import to sudoers

[Tim Bradshaw]

On 17 Nov 2014, at 23:53, Todd C. Miller <Todd.Miller at courtesan.com> wrote:

> It's probably a fair bit of work.

Although it's easy for me to say this as I'm not doing the work (and I'm not even currently actively working on sudoers reporting), I think this, or something like it, would be very desirable.

The problem with sudoers files is really that, unless you have access to the same grammar that sudo uses, it is reasonably fiddly to parse them reliably.  My experience a year or so ago was that none of the tools (other than sudo, but including the one I wrote) I could find that purported to parse sudoers files actually did a reliable job of it.

The JSON export solves that, for reporting, at a stroke, because it gives you access, pretty much, to the parse tree.  But my secret masterplan is to have a tool which supports reporting and generation of sudoers files, so the master configuration would be managed by the tool.  To do that you need to generate the files, and although I think that's a lot easier than parsing, I'm still worried about edge cases – exactly what has to be quoted in a command line to avoid it being misinterpreted and so on.  So again, some kind of JSON thing would be very cool.

Of course, that just dumps the problem in (vi)sudo's lap, since it now has to generate the sudo files.  But there's a much higher chance of (vi)sudo getting it right than there is some random thing I write.

One thing I thought about was that, it looks to me as if the LDAP sudoers thing is probably easier to generate reliably than the text one, although that obviously involves having an LDAP server.  For my masterplan that's probably a fair trade: I'd be happy to say to my client that if they want to use my tool they need to use LDAP -- apart from anything else it solves the whole distribute-the-file-around-a-million-hosts problem.