cvtsudoers: not just for LDAP
The main feature of cvtsudoers
is that it can convert between the sudoers file format and LDAP’s LDIF file format. As I do not use LDAP in my lab environment I stopped caring about cvtsudoers
after I read the first few lines of its man page. However, cvtsudoers
has additional features useful even without LDAP: querying the sudoers file and printing permissions belonging to a given user or host.
I must admit, I have no idea which version of sudo introduced the filtering (-m) option to cvtsudoers
. I only know that the current openSUSE Leap and AlmaLinux versions already support it, with versions 1.9.5 and 1.8.29 respectively. If the version of sudo supplied with your operating system is too old, you can find up-to-date sudo packages for many Linux distributions and UNIX variants at https://www.sudo.ws/getting/packages/.
For this blog I added a few extra rules to my sudoers file on my laptop, so it is not just the usual (members of the wheel group can do anything) but there is actually something to query. This is how it looks like after removing the comments and empty lines:
Defaults always_set_home
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
Defaults env_reset
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
Defaults !insults
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Host_Alias WEBSERVERS = www1, www2, www3
User_Alias ADMINS = smith, johnson, williams
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
ADMINS WEBSERVERS = REBOOT
@includedir /etc/sudoers.d
Obviously, if you have a production server with a lot more rules, using cvtsudoers
makes even more sense. However, even with this short configuration you can learn the basics.
The cvtsudoers
command has four important command line options, at least when we use it to query the sudoers file:
- -f allows to set the output format. By default it is LDIF, but you can also set it to sudoers and even JSON if you want to process the output by another software.
- -m allows you to define a filter and set a user or host name you want to query.
- -o defines the output file name. If omitted, the output goes to the standard output.
- Finally the file name used for input. In our case this is
/etc/sudoers
.
As the sudoers file can only be read by root you need a root shell or use sudo to run cvtsudoers
.
First, try to query the sudoers file for a user name. We use the sudoers output format, search for user smith and send the output to the screen (omit the -o option).
czplaptop:/root # cvtsudoers -f sudoers -m user=smith /etc/sudoers
Defaults always_set_home
Defaults\
secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/local/bin\:/usr/local/sbin
Defaults env_reset
Defaults env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION\
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER\
LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
Defaults !insults
User_Alias ADMINS = smith, johnson, williams
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
Host_Alias WEBSERVERS = www1, www2, www3
ADMINS WEBSERVERS = REBOOT
As you can see, almost everything from the original sudoers file is here. Only three lines are missing: the include at the end and the two rules about root and the wheel group.
Now let us query for the host called www3:
czplaptop:/root # cvtsudoers -f sudoers -m host=www3 /etc/sudoers
Defaults always_set_home
Defaults\
secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/local/bin\:/usr/local/sbin
Defaults env_reset
Defaults env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION\
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER\
LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
Defaults !insults
User_Alias ADMINS = smith, johnson, williams
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
Host_Alias WEBSERVERS = www1, www2, www3
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
ADMINS WEBSERVERS = REBOOT
As you can see, only a single line is missing. Even the rules about root and the wheel group are here, as those are not limited to a single host.
With this simple configuration cvtsudoers
did not make a real difference. However, with a more complex configuration it would be a lot more visible. You can test it even you your production configuration, as cvtsudoers
in not destructive in any way.
Come back to this blog again next month: sudo version 1.9.9 will enhance cvtsudoers
in multiple ways!
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.