The missing API for automating sudoer changes
Here are the available options for sudoadm
.
Usage:
./sudoadm -vnVamrAHCD <Key> <Value>
./sudoadm -RiV
Options:
-h Show this message
-e Show example usage
Specify a mode:
-a Addition mode
-r Removal mode
Specify an option type & value:
-D Defaults option
-H Host alias
-A User alias
-C Command alias
-P Permissions
Additional actions:
-f Specify sudoer configuration file
-v Perform validation of change
-R Perform rollback of changes
-i Interactive mode (Use with -R)
-n Create sudoer file if it doesn't exist
-V Be verbose
A fairly complete API for making changes is in place to help automate changes to the sudoers or sudoers.d/ file(s).
Below are some usage examples when working with the User_Alias stanza
./sudoadm -a -A foo "bar, baz, ping, pong"
// User_Alias foo=bar, baz, ping, pong
./sudoadm -r -A foo
./sudoadm -r -A foo "bar"
// User_Alias foo=baz, ping, pong
Below are some usage examples when working with the Host_Alias stanza
./sudoadm -a -H foo "server01, server02, server03"
// Host_Alias foo=server01, server02, server03
./sudoadm -r -H host_alias
./sudoadm -r -H foo "server03"
// Host_Alias foo=server01, server02
Below are some usage examples when working with the Cmnd_Alias stanza
./sudoadm -a -C foo "/bin/ls, /sbin/lsof, /bin/top"
// Cmnd_Alias cmd_alias=/bin/ls, /sbin/lsof, /bin/top
./sudoadm -r -C cmd_alias
./sudoadm -r -C foo "/bin/top"
// Cmnd_Alias cmd_alias=/bin/ls, /sbin/lsof
Below are some usage examples when working with the permissions
./sudoadm -a -P foo "ALL=/sbin/lsof, /bin/strace"
// foo ALL=/bin/ls, /sbin/lsof, /bin/strace
./sudoadm -a -P %foo "localhost=/sbin/lsof, /bin/strace"
// %foo localhost=/bin/ls, /sbin/lsof, /bin/strace
./sudoadm -r -P foo
./sudoadm -r -P %foo
./sudoadm -r -P foo "/bin/lsof"
// foo localhost=/bin/ls, /bin/strace
./sudoadm -r -P %foo "/bin/lsof"
// %foo localhost=/bin/ls, /bin/strace
Below are some usage examples when working with defualts
./sudoadm -a -D default_opt "!root_sudo, timestamp_timeout"
./sudoadm -r -D default_opt
./sudoadm -r -D foo "bar"
There are additional options that can assist with things such as the sudoers file location, performing validation of expected configurations (per stanza), automated restoration of last previous change, or even an interactive mode for restoration.
./sudoadm -f /etc/sudoers.d/foo.conf -a -A foo "bar, baz"
./sudoadm -v -a -A foo "bar, baz"
./sudoadm -R
./sudoadm -R -i
./sudoadm -n -f /etc/sudoers.d/foo.conf -a -A foo "bar, baz"
Contributions are welcome & appreciated. Refer to the contributing document to help facilitate pull requests.
This software is licensed under the MIT License.
Copyright Jason Gerfen, 2015-2016.