jas-/sudoadm

The missing API for automating sudoers changes

sudoadm

The missing API for automating sudoer changes

Options

Here are the available options for sudoadm.

  Usage:
    ./sudoadm -vnVamrAHCD <Key> <Value>
    ./sudoadm -RiV

  Options:
    -h  Show this message
    -e  Show example usage

  Specify a mode:
    -a  Addition mode
    -r  Removal mode

  Specify an option type & value:
    -D  Defaults option
    -H  Host alias
    -A  User alias
    -C  Command alias
    -P  Permissions

  Additional actions:
    -f  Specify sudoer configuration file
    -v  Perform validation of change
    -R  Perform rollback of changes
    -i  Interactive mode (Use with -R)
    -n  Create sudoer file if it doesn't exist
    -V  Be verbose

API

A fairly complete API for making changes is in place to help automate changes to the sudoers or sudoers.d/ file(s).

Manage user aliases

Below are some usage examples when working with the User_Alias stanza

Add/Edit User_Alias

./sudoadm -a -A foo "bar, baz, ping, pong"
// User_Alias foo=bar, baz, ping, pong

Remove an existing User_Alias

./sudoadm -r -A foo

Remove an existing User_Alias member

./sudoadm -r -A foo "bar"
// User_Alias foo=baz, ping, pong

Manage host aliases

Below are some usage examples when working with the Host_Alias stanza

Add/Edit Host_Alias

./sudoadm -a -H foo "server01, server02, server03"
// Host_Alias foo=server01, server02, server03

Remove an existing Host_Alias

./sudoadm -r -H host_alias

Remove an existing Host_Alias member

./sudoadm -r -H foo "server03"
// Host_Alias foo=server01, server02

Manage command aliases

Below are some usage examples when working with the Cmnd_Alias stanza

Add new Cmnd_Alias

./sudoadm -a -C foo "/bin/ls, /sbin/lsof, /bin/top"
// Cmnd_Alias cmd_alias=/bin/ls, /sbin/lsof, /bin/top

Remove an existing Cmnd_Alias

./sudoadm -r -C cmd_alias

Remove an existing Cmnd_Alias member

./sudoadm -r -C foo "/bin/top"
// Cmnd_Alias cmd_alias=/bin/ls, /sbin/lsof

Manage permissions

Below are some usage examples when working with the permissions

Add new permission

./sudoadm -a -P foo "ALL=/sbin/lsof, /bin/strace"
// foo ALL=/bin/ls, /sbin/lsof, /bin/strace

./sudoadm -a -P %foo "localhost=/sbin/lsof, /bin/strace"
// %foo localhost=/bin/ls, /sbin/lsof, /bin/strace

Remove an existing set of permissions

./sudoadm -r -P foo
./sudoadm -r -P %foo

Remove an existing permissions membership item

./sudoadm -r -P foo "/bin/lsof"
// foo localhost=/bin/ls, /bin/strace

./sudoadm -r -P %foo "/bin/lsof"
// %foo localhost=/bin/ls, /bin/strace

Manage default options

Below are some usage examples when working with defualts

Add new default option

./sudoadm -a -D default_opt "!root_sudo, timestamp_timeout"

Remove an existing default option

./sudoadm -r -D default_opt

Remove an existing default option member

./sudoadm -r -D foo "bar"

Additional options

There are additional options that can assist with things such as the sudoers file location, performing validation of expected configurations (per stanza), automated restoration of last previous change, or even an interactive mode for restoration.

Specify path to sudoer configuration file to add a new User_Alias & members

./sudoadm -f /etc/sudoers.d/foo.conf -a -A foo "bar, baz"

Perform validation of change regarding new user alias member(s)

./sudoadm -v -a -A foo "bar, baz"

Perform automated restoration of latest saved copy of sudoers configuration

./sudoadm -R

Perform interactive restoration of a prior saved copy of sudoers configuration

./sudoadm -R -i

Optionally create the specified sudoer configuration file if it doesn't exist

./sudoadm -n -f /etc/sudoers.d/foo.conf -a -A foo "bar, baz"

contributing

Contributions are welcome & appreciated. Refer to the contributing document to help facilitate pull requests.

license

This software is licensed under the MIT License.

Copyright Jason Gerfen, 2015-2016.