Bug 813 – sudo should give possibility to export configuration

Bug 813 - sudo should give possibility to export configuration


Summary:	sudo should give possibility to export configuration

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.21
Hardware:	All All

Importance:	low enhancement
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-06 17:53 MST by Daniele Palumbo
Modified:	2018-05-01 10:22 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniele Palumbo 2017-12-06 17:53:18 MST

Currently the configuration of sudo is not exportable.

The most closer option is -l, to which the manual report:
https://www.sudo.ws/man/1.8.21/sudo.man.html
"""
If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any command line arguments. If command is specified but not allowed, sudo will exit with a status value of 1.
"""

Exporting the configuration would be really useful in case case of:
- check compliance over a server
- check/replicate LDAP implementation

For debug purpose, it should be also written in the most replicable format possible

The suggested syntax is:
sudo --export [-U user|--global]

This should work only if the command is allowed, with the same logic of -l.
If without -U, current user configuration should be exported.
--global should export all of the current sudoers configuration, but should be available only for root user.

Original sudoers file for the below examples.
"""
Defaults env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, log_output
Cmnd_Alias NOLOGOUTPUT = /sbin/shutdown, /usr/bin/sudoreplay
Defaults!NOLOGOUTPUT !log_output
Defaults:root authenticate
Defaults:daniele !requiretty
root ALL = (ALL) ALL
daniele build-jessie-amd64 = NOPASSWD: ALL
"""

Examples output:

Please note that Defaults and Cmnd_Alias has been placed on multiple lines in the export output.

sudo --export --global
"""
# localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:root authenticate
Defaults:daniele !requiretty
root ALL = (ALL) ALL
daniele build-jessie-amd64 = (root) NOPASSWD: ALL
"""

sudo --export -U root
"""
# User root on localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:root authenticate
root ALL = (ALL) ALL
[...]
"""

sudo --export -U daniele
"""
# localhost configuration:
Defaults env_reset
Defaults secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Defaults log_output
Defaults!/sbin/shutdown !log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults:daniele !requiretty
daniele build-jessie-amd64 = (root) NOPASSWD: ALL
"""

Such configuration as told would be possible to be imported into another system.

Comment 1 Todd C. Miller 2018-03-27 16:37:15 MDT

The cvtsudoers command in sudo 1.8.23 should be able to do what you want.   As of sudo 1.8.23b1 cvtsudoers output can be filtered based on user, group and/or host.

Comment 2 Todd C. Miller 2018-05-01 10:22:29 MDT

Sudo 1.8.23 includes cvtsudoers which can export an existing sudoers file (including LDIF format) which is capable of selecting users, groups, hosts.