[sudo-workers] Visudo pre/post hooks
Michael Grubb
sudo at dailyvoid.com
Tue Jul 5 15:39:57 EDT 2005
At my location we wanted to monitor/control changes to the sudoers file.
This requirement gave birth to the attached patch.
The pre/post hooks run before and/or after actual editing of the
sudoers file in question.
The hooks may prevent the file from being updated depending on the
return code of the hook, however
neither hook is required.
The pre hook is passed in the name of the sudoers file as the first
argument
The post hook is passed the name of the sudoers file as the first
argument and the name of the temporary file as the second.
The hooks may return 1 of 4 different status codes:
HOOK_SUCCESS = 0
HOOK_ERROR = 1
HOOK_FATAL = 2
HOOK_PERMISSION_DENIED = 20
The semantics of the status codes are as follows:
HOOK_SUCCESS, the hook returned a successful code and "normal" flow
will continue
HOOK_ERROR, the hook encountered an error but will not impede the
"normal" flow
HOOK_FATAL, the hook encountered an error that should cause visudo to
discontinue editing
HOOK_PERMISSION_DENIED, the hook determined that permission to change
the sudoers file should not be allowed, and will discontinue editing
and display the Permission Denied message.
By "normal" flow I mean "what would normally happen if this patch
weren't in place"
By "discontinue editing" I mean that any cleanup that needs to happen
will happen and then visudo will exit.
The above status codes are defined in the new hook.h file.
The hook programs are determined by the sudoers file name. Thus if
the sudoers file is /etc/sudoers then the pre/post hooks will be:
/etc/sudoers.pre and /etc/sudoers.post respectively. If the sudoers
file is /etc/sudo.pol then the hooks will be:
/etc/sudo.pol.pre and /etc/sudo.pol.post respectively. This was the
best way to determine the sudoers -> hook program mapping short of
using a separate config file which brings
it's own complexities and issues.
Some example uses of this patch are:
Monitoring changes to the sudoers file (I get an email of the diff
output anytime a sudoers file changes)
Implementing a more robust access control for editing the sudoers file.
I will file a feature request for this patch as well, but I thought
I'd make it available here as well.
FWIW, I also have created a patch that will cause sudo -s (or when
shell_no_args is turned on in the sudoers file, sudo) to execute
sudosh instead of the login shell of the target user. If anyone is
interested let me know.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: visudo.patch
Type: application/octet-stream
Size: 5854 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20050705/ad2ab38d/attachment.obj>
-------------- next part --------------
More information about the sudo-workers
mailing list