Fastest Way to Determine User Permissions in /etc/sudoer

StackOverflow https://stackoverflow.com/questions/1133364

Question

Users will be remotely accessing ***nix based machines via SSH and I need to determine the fastest way to check if the username that they are currently using has NOPASSWD access in the /etc/sudoers file.

Possible options:

  • grep for the username in /etc/sudoers, parse command prompt output to determine if it has NOPASSWD, if not, remove the line then append the new permissions
  • Just append a permission string to the file regardless (bad idea).
  • Attempt to sudo into a protected file and see if it prompts me for a password.

I'm hoping for something easier, but my google-fu hasn't come up with any answers.

Was it helpful?

Solution

If sudo -v succeeds, the user has been authorized to use sudo; if it fails, then the user has not been authorized to use sudo.

# su user -c 'setsid sudo -v </dev/null'; echo $?
[sudo] password for user:
1
# su root -c 'setsid sudo -v </dev/null'; echo $?
0

Without setsid, sudo will try to ask for the password interactively even if stdin/stdout/stderr have all been redirected. If you don't have a controlling terminal, this isn't needed, but you will probably need something other than su to change user permissions, like fork+setreuid.

OTHER TIPS

If you indeed need "the fastest way", I guess you're building a webserver that would handle many concurrent requests.

This raises another problem - the concurrency issue. Generally, many process reading and writing to the same important file is a recipe for a catastrophe.

Build a small independent process to handle the task. It should have a minimal interface that will receive requests from the clients, and updates for the the /etc/sudoer file. Something like has_NOPASSWD_access() and set_NOPASSWD_access(). It should read the file only when it needs to be written, so you'll greatly reduce the I/O time required to serve a request.

Pros -

  • Fast : No I/O needed for just reading the file, because it is stored in the buffer since the initial read
  • Thread safe: Only one server writes and reads the sudoer file
  • Single choice principle - only this process handles the sudoer file
  • Elegant (I hope) :-)

Cons - - List them in the comments, and I'll add.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top