tags:

views:

405

answers:

2
+1  Q: 

Fastest Way to Determine User Permissions in /etc/sudoer

Users will be remotely accessing ***nix based machines via SSH and I need to determine the fastest way to check if the username that they are currently using has NOPASSWD access in the /etc/sudoers file.

Possible options:

  • grep for the username in /etc/sudoers, parse command prompt output to determine if it has NOPASSWD, if not, remove the line then append the new permissions
  • Just append a permission string to the file regardless (bad idea).
  • Attempt to sudo into a protected file and see if it prompts me for a password.

I'm hoping for something easier, but my google-fu hasn't come up with any answers.

+1  A: 

If you indeed need "the fastest way", I guess you're building a webserver that would handle many concurrent requests.

This raises another problem - the concurrency issue. Generally, many process reading and writing to the same important file is a recipe for a catastrophe.

Build a small independent process to handle the task. It should have a minimal interface that will receive requests from the clients, and updates for the the /etc/sudoer file. Something like has_NOPASSWD_access() and set_NOPASSWD_access(). It should read the file only when it needs to be written, so you'll greatly reduce the I/O time required to serve a request.

Pros -

  • Fast : No I/O needed for just reading the file, because it is stored in the buffer since the initial read
  • Thread safe: Only one server writes and reads the sudoer file
  • Single choice principle - only this process handles the sudoer file
  • Elegant (I hope) :-)

Cons - - List them in the comments, and I'll add.

Adam Matan  2009-07-15 19:30:47
+1 Not really answering, but good point
neuro  2009-07-17 08:00:22
+2  A: 

If sudo -v succeeds, the user has been authorized to use sudo; if it fails, then the user has not been authorized to use sudo.

# su user -c 'setsid sudo -v </dev/null'; echo $?
[sudo] password for user:
1
# su root -c 'setsid sudo -v </dev/null'; echo $?
0

Without setsid, sudo will try to ask for the password interactively even if stdin/stdout/stderr have all been redirected. If you don't have a controlling terminal, this isn't needed, but you will probably need something other than su to change user permissions, like fork+setreuid.

ephemient  2009-07-15 20:01:04
+1 always learning new elegant tricks.
neuro  2009-07-17 07:59:09
thanks, didn't knew about: sudo -v
neoneye  2010-07-18 22:48:36

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?