[SOLVED] sed help with sudoers file

bradvan · 03-23-2012, 11:14 AM

I'm trying to set up some scripts to modify a certain command alias in the sudoers file. My basic setup will have a certain set of commands. I want to be able to add additional ones based on certain conditions. For example, if this server is one of my hadoop systems, I want to add access to hadoop. Another example is if this system is an HP system, I want to add access to hpacucli. My basic command alias is:

Code:

CmndAlias BB_C = /bin/echo, /usr/bin/test, /usr/bin/wc, /usr/sbin/dmidecode, \
   /bin/grep

I want to use sed or perl to search for the BB_C command alias, find the last line, and then add the additional command. Any suggestions would be greatly appreciated.

grail · 03-23-2012, 11:24 AM

What have you tried and where are you stuck?

here is a sed guide if you do not have one: http://www.grymoire.com/Unix/Sed.html

dive · 03-23-2012, 11:50 AM

I have to say that editing sudoers like that may not be a good idea. One syntax error and you lose all the other settings and you break sudo. That's why the visudo command parses it for errors before saving it.

But, it's your machine of course so you can do as you wish.

It may be much easier to have all the entries on one line rather than breaking into separate lines (it would certainly be easier to sed).

chrism01 · 03-26-2012, 12:39 AM

I agree that IF you want to auto-edit sudoers, the put the whole sudoer's cmd list on one line; will make it much easier, regardless of tool ...

bradvan · 03-26-2012, 05:45 AM

Hi Sorry for the late response. My code is at work.

I agree in general about sudoers, but I am doing this as part of my kickstarting a new server. If I manage to "mess it up," I'll find that out, change the script to remove the error, and re-kickstart the server as needed. That being said, here is what I have in perl so far:

Code:

#!/usr/bin/perl -w
use strict;
open(SUDO, "/etc/sudoers") or die("Could not open sudoers file!\n");
while(<SUDO>) {
   chomp($_);
   if ($_ =~ /Cmnd_Alias\tBB_C/) {
      if ($_ =~ /\\$/) {
         print $_\n";
      }
   }
}
close(SUDO);

What I want to do when I find the line with BB_C and ending with a "\" is check the next line. I want to see if it also ends with a "\." If not, add my code to that line. If so, check the next line. I know my base installation script will create a command alias for BB_C with at least one continuation line. So, that is what I am keying on. I'm just not sure how to search for the "next" line once I find the BB_C line. I guess I could introduce another variable, $found?

bradvan · 03-26-2012, 06:38 AM

OK, I've come up with this, but the writes aren't working:

Code:

#!/usr/bin/perl -w
use strict;
chmod 0600, "/etc/sudoers";
my ( $found );
$found = 0;
open(SUDO, "+</etc/sudoers") or die("Could not open sudoers file!\n");
while(<SUDO>) {
   chomp($_);
   if ($found eq 1) {
      if ($_ !~ /\\$/) {
         if (length($_) + length("/sbin/ifconfig") gt 110) {
            print SUDO $_ . ", \\";
            print SUDO "\t\t/sbin/ifconfig\n";
         } else {
            print SUDO $_ . ", /sbin/ifconfig\n";
         }
         $found = 2;
      }
   } elsif ($_ =~ /Cmnd_Alias\tBB_C/) {
      if ($_ =~ /\\$/) {
         $found = 1;
      }
   }
}
close(SUDO);
chmod 0400, "/etc/sudoers";

I find the correct line, but the print isn't working.

grail · 03-26-2012, 09:37 AM

Well I am a little confused that you have a 'ping' line in the script?:

Code:

ping SUDO $_ . ", /sbin/ifconfig\n";

Is this perhaps the issue?

I also assume you are running your script with the correct access to be able to chmod and access the sudoers file?

bradvan · 03-26-2012, 10:03 AM

Hi Grail,

No, sorry, that was a typo. And yes, running as root.

grail · 03-26-2012, 12:15 PM

So when you say:

Quote:

the print isn't working

Are you able to elaborate further? Have you put in some debug prints to see where in the code you are going and what is being executed?

bradvan · 03-26-2012, 12:55 PM

The print SUDO lines don't actually produce any new output in the sudoers file. If I remove "SUDO" from the line it prints correctly to the standard output. I think I need to figure out how to replace the current line with the contents of $line and/or add a new line after the current position.

grail · 03-26-2012, 01:31 PM

Well, Perl is not my strongest suite, but, all the examples I have looked at follow the format:

Code:

open FILEHANDLE,MODE,EXPR

This implies to me that you are missing a comma in between the mode and the expr.
What happens if you do:

Code:

open(SUDO, "+<","/etc/sudoers") or die("Could not open sudoers file!\n");

chrism01 · 03-26-2012, 08:27 PM

I'd just amend last bit

Code:

open(SUDO, "+<","/etc/sudoers") or die("Could not open sudoers file $!\n");

'$!' prints the actual error returned by the open call ie tells you why it failed ..

bradvan · 03-28-2012, 08:51 AM

I got it all worked out. Here is what I came up with:

Code:

#!/usr/bin/perl -w
use strict;
unless(@ARGV) {
   print "You must give the command to add to sudoers as a parameter to this script.\n";
   exit;
}
my ( $CMD ) = $ARGV[0];
chmod 0660, "/etc/sudoers";
open(SUDO, "+< /etc/sudoers") or die("Could not open sudoers file: $!\n");
my ( $i, $line, $found, @sudo );
$found = 0;
@sudo = <SUDO};
for ($i = 0; $i < scalar(@sudo); $i++) {
   $line = $sudo[$i];
   chomp($line);
   if ($found eq 1) {
      if ($line !~ /\\$/) {
         # This is the last line of teh BB_C command alias.
         if (length($line) + length($CMD) gt 100) {
            $sudo[$i] = $line . ", \\\n";
            splice(@sudo, $i + 1, 0, "\t\t$CMD\n");
            $i = scalar(@sudo) + 1;
         } else {
            $sudo[$i] = $line . ", $CMD\n";
         }
         $found = 2;
      }
   } elsif ($line =~ /Cmnd_Alias\tBB_C/) {
      # Found the BB_C command alias
      if ($line =~ /\\$/) {
         $found = 1;
      }
   }
}
seek(SUDO,0,0);
print SUDO @sudo;
truncate(SUDO,tell(SUDO));
close(SUDO);
chmod 0440, "/etc/sudoers";

I want to thank everyone for their suggestions! I really appreciate it!