[sudo-workers] Visudo pre/post hooks

Michael Grubb sudo at dailyvoid.com
Tue Jul 5 15:39:57 EDT 2005 

At my location we wanted to monitor/control changes to the sudoers file.
This requirement gave birth to the attached patch.

The pre/post hooks run before and/or after actual editing of the  
sudoers file in question.
The hooks may prevent the file from being updated depending on the  
return code of the hook, however
neither hook is required.

The pre hook is passed in the name of the sudoers file as the first  
argument
The post hook is passed the name of the sudoers file as the first  
argument and the name of the temporary file as the second.

The hooks may return 1 of 4 different status codes:
HOOK_SUCCESS = 0
HOOK_ERROR = 1
HOOK_FATAL = 2
HOOK_PERMISSION_DENIED = 20

The semantics of the status codes are as follows:

HOOK_SUCCESS,  the hook returned a successful code and "normal" flow  
will continue
HOOK_ERROR, the hook encountered an error but will not impede the  
"normal" flow
HOOK_FATAL, the hook encountered an error that should cause visudo to  
discontinue editing
HOOK_PERMISSION_DENIED, the hook determined that permission to change  
the sudoers file should not be allowed, and will discontinue editing  
and display the Permission Denied message.

By "normal" flow I mean "what would normally happen if this patch  
weren't in place"
By "discontinue editing" I mean that any cleanup that needs to happen  
will happen and then visudo will exit.

The above status codes are defined in the new hook.h file.

The hook programs are determined by the sudoers file name.  Thus if  
the sudoers file is /etc/sudoers then the pre/post hooks will be:
/etc/sudoers.pre and /etc/sudoers.post respectively.  If the sudoers  
file is /etc/sudo.pol then the hooks will be:
/etc/sudo.pol.pre and /etc/sudo.pol.post respectively.  This was the  
best way to determine the sudoers -> hook program mapping short of  
using a separate config file which brings
it's own complexities and issues.

Some example uses of this patch are:
Monitoring changes to the sudoers file (I get an email of the diff  
output anytime a sudoers file changes)
Implementing a more robust access control for editing the sudoers file.

I will file a feature request for this patch as well, but I thought  
I'd make it available here as well.

FWIW, I also have created a patch that will cause sudo -s (or when  
shell_no_args is turned on in the sudoers file, sudo) to execute  
sudosh instead of the login shell of the target user.  If anyone is  
interested let me know.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: visudo.patch
Type: application/octet-stream
Size: 5854 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20050705/ad2ab38d/attachment.obj>
-------------- next part --------------

More information about the sudo-workers mailing list