Fastest Way to Determine User Permissions in /etc/sudoer

Asked 15/7, 2009 at 19:14 Answered 15/7, 2009 at 20:1

Users will be remotely accessing ***nix based machines via SSH and I need to determine the fastest way to check if the username that they are currently using has NOPASSWD access in the /etc/sudoers file.

Possible options:

grep for the username in /etc/sudoers, parse command prompt output to determine if it has NOPASSWD, if not, remove the line then append the new permissions
Just append a permission string to the file regardless (bad idea).
Attempt to sudo into a protected file and see if it prompts me for a password.

I'm hoping for something easier, but my google-fu hasn't come up with any answers.

Amrita answered 15/7, 2009 at 19:14 Comment(2)

Would have asked it on "Super User" but I'm not currently in the beta. Not sure if this even relates more to Server Fault than here; doesn't "fit" anywhere really... – Amrita 15/7, 2009 at 19:22

@Hawker: Super User is in 'semi-private beta'. You can get access without hassle. Look here: blog.stackoverflow.com/2009/07/… – Cinquecento 15/7, 2009 at 19:36

If sudo -v succeeds, the user has been authorized to use sudo; if it fails, then the user has not been authorized to use sudo.

# su user -c 'setsid sudo -v </dev/null'; echo $?
[sudo] password for user:
1
# su root -c 'setsid sudo -v </dev/null'; echo $?
0

Without setsid, sudo will try to ask for the password interactively even if stdin/stdout/stderr have all been redirected. If you don't have a controlling terminal, this isn't needed, but you will probably need something other than su to change user permissions, like fork+setreuid.

Spiegeleisen answered 15/7, 2009 at 20:1 Comment(0)

If you indeed need "the fastest way", I guess you're building a webserver that would handle many concurrent requests.

This raises another problem - the concurrency issue. Generally, many process reading and writing to the same important file is a recipe for a catastrophe.

Build a small independent process to handle the task. It should have a minimal interface that will receive requests from the clients, and updates for the the /etc/sudoer file. Something like has_NOPASSWD_access() and set_NOPASSWD_access(). It should read the file only when it needs to be written, so you'll greatly reduce the I/O time required to serve a request.

Pros -

Fast : No I/O needed for just reading the file, because it is stored in the buffer since the initial read
Thread safe: Only one server writes and reads the sudoer file
Single choice principle - only this process handles the sudoer file
Elegant (I hope) :-)

Cons - - List them in the comments, and I'll add.

Nomadic answered 15/7, 2009 at 19:30 Comment(0)

Recommended topics

Hot tags