SUDo to run at particular date and time

sharma.kashyap · 03-04-2009, 01:12 AM

HI,
I want to configure sudo so that 1 user whould be able to run commands as root on that particular date for specified time.

kindly assist

Disillusionist · 03-04-2009, 02:17 AM

The sudoers file is where you can configure access to run commands as root. You should use visudo to edit this file, however I don't know any way of restricting this to a date and time period.

What you could do is restrict the user account at logon level, but remember this would prevent access to the system for this user outside of the time allocated.

Alternatively you could script something through cron, but remember to keep a safe copy of your original sudoers file.

anomie · 03-04-2009, 10:55 AM

I don't know of an elegant way to do this either, but...

If this is a one-time deal, you could probably keep two (working) copies of sudoers -- #1 is the original sudoers file, and #2 is the sudoers file with the user appropriately configured. Then create an at(1) job that replaces #1 with #2 at a certain time. And create another at(1) job that replaces #2 with #1. Simple enough concept, but you'll want to test it very thoroughly, and build in some intelligent error handling and notification if things go wrong.

If your script-fu is no good, then you probably shouldn't do this.

unSpawn · 03-04-2009, 06:11 PM

Quote:

Originally Posted by anomie

create an at(1) job

Yeah, that's what I thought of as well. Here's a shell script example. Untested and kind of crude, so YMMV(VM):

Code:

#!/bin/bash --
# Source file
SUDOERS=/etc/sudoers
# No source
[ -f ${SUDOERS} ] || { logger "No ${SUDOERS}. Exiting."; exit 1; }
# Bad original
visudo -c ${SUDOERS} > /dev/null || { logger "Bad ${SUDOERS}. Exiting."; exit 1; }
# Replacement
REPLACEMENT=/etc/sudoers.temporary
# No replacement
[ -f ${REPLACEMENT} ] || { logger "No ${REPLACEMENT}. Exiting."; exit 1; }
# Bad replacement
visudo -c ${REPLACEMENT} > /dev/null || { logger "Bad ${REPLACEMENT}. Exiting."; exit 1; }
# Backup file
BACKUP=/etc/.sudoers.$(date +%Y%m%d_%H%M)
# Got any?
find /etc -maxdepth 1 -type f -name .sudoers.\*|xargs -iS logger "Got 'S'"

function wax() {
 case "$1" in
  on) [ -z "${ATTRIB[3]}" ] || chcon ${ATTRIB[3]} $2; [ -z ${XATTR} ] || chattr =${XATTR} $2 ;;
  off) [ -z ${XATTR} ] || chattr -${XATTR} $2 ;;
 esac
}

# Record attributes
HASH=($(sha1sum ${SUDOERS})); HASH=${HASH[0]}
ATTRIBS=($(stat -c "%a %u %g %C" ${SUDOERS})); m=${ATTRIB[0]}; u=${ATTRIB[1]}; g=${ATTRIB[2]}
XATTR=$(lsattr ${SUDOERS}); XATTR=${XATTR[0]}; XATTR=${XATTR//-/}

function doStuff() { # Backup, install replacement
install ${SUDOERS} -m $m -u $u -g $g ${BACKUP} | { logger "Backup failed. Exiting."; exit 1; }
wax on ${BACKUP}

wax off ${SUDOERS}
install ${REPLACEMENT} -m $m -u $u -g $g ${SUDOERS} \
|| { logger "Install failed. Exiting."; sha1sum ${SUDOERS} | grep -q "${HASH}" \
|| { install ${BACKUP} -m $m -u $u -g $g ${SUDOERS}; wax on ${SUDOERS}; }; exit 1; }
wax on ${SUDOERS}
} # End doStuff

function unDoStuff() { # OK, so the attribs could be wrong...
select FILE in quit $(find /etc -type f -name .sudoers.\* -printf "%C@ %p (%a)\n"|sort -k1|cut -d ' ' -f 2-|tr ' ' '_'); 
do case "$FILE" in quit) return;; *) echo "Replacing with ${FILE//_*/}"; install ${FILE//_*/} -m $m -u $u -g $g \
${SUDOERS}; wax on ${SUDOERS}; return;; esac; done
} # End unDoStuff

# Here's where we actually *do* stuff...
case "$1" in
undo|restore) unDoStuff;;
-*|help|warranty) echo "Doh..."; exit 127;;
*) doStuff;;
esac

# Farewell check
visudo -c ${SUDOERS} > /dev/null || logger "Bad ${SUDOERS}: SOL."

exit 0

Run without arguments as 'at -f /this/file $TIMESPEC' to queue, run with argument "undo" or "restore" *should* give you a chance to replace the, ahh, replacement. Again YMMV(VM).

anomie · 03-04-2009, 10:00 PM

Quote:

Originally Posted by unSpawn

Code:

...
install ${SUDOERS} -m $m -u $u -g $g ${BACKUP} | { logger "Backup failed. Exiting."; exit 1; }
...

On a tangent: All this time I'd never heard of install(1). A nice little utility to add into the bag of scripting tricks.