Bug 813

Summary: sudo should give possibility to export configuration
Product: Sudo Reporter: Daniele Palumbo <daniele>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement CC: daniele
Priority: low    
Version: 1.8.21   
Hardware: All   
OS: All   

Description Daniele Palumbo 2017-12-06 17:53:18 MST 
Currently the configuration of sudo is not exportable.

The most closer option is -l, to which the manual report:
https://www.sudo.ws/man/1.8.21/sudo.man.html
"""
If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any command line arguments. If command is specified but not allowed, sudo will exit with a status value of 1.
"""

Exporting the configuration would be really useful in case case of:
- check compliance over a server
- check/replicate LDAP implementation

For debug purpose, it should be also written in the most replicable format possible

The suggested syntax is:
sudo --export [-U user|--global]

This should work only if the command is allowed, with the same logic of -l.
If without -U, current user configuration should be exported.
--global should export all of the current sudoers configuration, but should be available only for root user.

Original sudoers file for the below examples.
"""
Defaults env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, log_output
Cmnd_Alias NOLOGOUTPUT = /sbin/shutdown, /usr/bin/sudoreplay
Defaults!NOLOGOUTPUT !log_output
Defaults:root authenticate
Defaults:daniele !requiretty
root ALL = (ALL) ALL
daniele build-jessie-amd64 = NOPASSWD: ALL
"""

Examples output:

Please note that Defaults and Cmnd_Alias has been placed on multiple lines in the export output.

sudo --export --global
"""
# localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:root authenticate
Defaults:daniele !requiretty
root ALL = (ALL) ALL
daniele build-jessie-amd64 = (root) NOPASSWD: ALL
"""

sudo --export -U root
"""
# User root on localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:root authenticate
root ALL = (ALL) ALL
[...]
"""

sudo --export -U daniele
"""
# localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:daniele !requiretty
daniele build-jessie-amd64 = (root) NOPASSWD: ALL
"""

Such configuration as told would be possible to be imported into another system.
Comment 1 Todd C. Miller 2018-03-27 16:37:15 MDT 
The cvtsudoers command in sudo 1.8.23 should be able to do what you want.   As of sudo 1.8.23b1 cvtsudoers output can be filtered based on user, group and/or host.
Comment 2 Todd C. Miller 2018-05-01 10:22:29 MDT 
Sudo 1.8.23 includes cvtsudoers which can export an existing sudoers file (including LDIF format) which is capable of selecting users, groups, hosts.