Users will be remotely accessing ***nix based machines via SSH and I need to determine the fastest way to check if the username that they are currently using has NOPASSWD access in the /etc/sudoers file.
Possible options:
- grep for the username in /etc/sudoers, parse command prompt output to determine if it has NOPASSWD, if not, remove the line then append the new permissions
- Just append a permission string to the file regardless (bad idea).
- Attempt to sudo into a protected file and see if it prompts me for a password.
I'm hoping for something easier, but my google-fu hasn't come up with any answers.
If sudo -v succeeds, the user has been authorized to use sudo; if it fails, then the user has not been authorized to use sudo.
# su user -c 'setsid sudo -v </dev/null'; echo $? [sudo] password for user: 1 # su root -c 'setsid sudo -v </dev/null'; echo $? 0
Without setsid, sudo will try to ask for the password interactively even if stdin/stdout/stderr have all been redirected. If you don't have a controlling terminal, this isn't needed, but you will probably need something other than su to change user permissions, like fork+setreuid.
If you indeed need "the fastest way", I guess you're building a webserver that would handle many concurrent requests.
This raises another problem - the concurrency issue. Generally, many process reading and writing to the same important file is a recipe for a catastrophe.
Build a small independent process to handle the task. It should have a minimal interface that will receive requests from the clients, and updates for the the /etc/sudoer file. Something like has_NOPASSWD_access() and set_NOPASSWD_access(). It should read the file only when it needs to be written, so you'll greatly reduce the I/O time required to serve a request.
Pros -
- Fast : No I/O needed for just reading the file, because it is stored in the buffer since the initial read
- Thread safe: Only one server writes and reads the sudoer file
- Single choice principle - only this process handles the sudoer file
- Elegant (I hope) :-)
Cons - - List them in the comments, and I'll add.
来源:https://stackoverflow.com/questions/1133364/fastest-way-to-determine-user-permissions-in-etc-sudoer