This script activates SUDO fragments on the client host into the designated repository based on the configuration in the grants, alias and fragments configuration files.


$ pod2text update_sudo.pl

      update_sudo.pl [-d|--debug]
     ([-p|--preview] [-g|--global]) | [-r|--remove]

:pushpin: update_sudo.pl requires a correctly configured update_sudo.conf or update_sudo.conf.local in order to work.

:pushpin: this script should only be run on the client hosts (unless the SUDO master is also its own client) and requires root privileges


This script is the administrative wrapper script and performs basic functions for SUDO controls such as:

  • distribute the SUDO controls files (copy)
  • trigger a SUDO fragments update locally or remote (apply)
  • validate SUDO syntax
  • discover SSH host keys

:pushpin: manage_sudo.sh requires a correctly configured manage_sudo.conf or manage_sudo.conf.local in order to work.


$ manage_ssh.sh --help

**** manage_sudo.sh ****
**** (c) KUDOS BVBA - Patrick Van der Veken ****

Performs basic functions for SUDO controls: update SUDOers files locally or
remote, validate SUDO syntax or copy/distribute the SUDO controls files

Syntax: ./manage_sudo.sh [--help] | (--backup | --check-syntax | --check-sudo | --preview-global | --update) |
        (--apply [--slave] [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) |
        ((--copy|--distribute) [--slave] [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) |
        (--discover [--targets=<host1>,<host2>,...]) |
        ([--fix-local --fix-dir=<repository_dir> [--fix-user=<unix_account>] [--create-dir]] |
         [--fix-remote [--slave] [--create-dir] [--targets=<host1>,<host2>,...]])
        [--preview-global] [--local-dir=<local_directory>]
        [--no-log] [--log-dir=<log_directory>] [--debug]


--alias             : name of the alias to process
--apply|-a          : apply SUDO controls remotely (~targets)
--backup|-b         : create a backup of the SUDO controls repository (SUDO master)
--check-syntax|-s   : do basic syntax checking on SUDO controls configuration
                      (grants & alias files)
--check-sudo        : validate the SUDO fragments in the holding directory
--copy|-c           : copy SUDO control files to remote host (~targets)
--create-dir        : also create missing directories when fixing the SUDO controls
                      repository (see also --fix-local/--fix-remote)
--debug             : print extra status messages on STDERR
--discover|-d       : discover SSH host keys (STDOUT)
--distribute        : same as --copy
--fix-dir           : location of the local SUDO controls client repository
--fix-local         : fix permissions on the local SUDO controls repository
                      (local SUDO controls repository given by --fix-dir)
--fix-remote        : fix permissions on the remote SUDO controls repository
--fix-user          : UNIX account to own SUDO controls files [default: current user]
--help|-h           : this help text
--local-dir         : location of the SUDO control files on the local filesystem.
                      [default: see LOCAL_DIR setting]
--log-dir           : specify a log directory location.
--no-log            : do not log any messages to the script log file.
--preview-global|-p : dump the global grants namespace (after alias resolution)
--remote-dir        : directory where SUDO control files are/should be
                      located/copied on/to the target host
                      [default: see REMOTE_DIR setting]
--resolve-alias|-r  : resolve an alias into its individual components
--slave             : perform actions in master->slave mode
--targets           : comma-separated list of target hosts or @groups to operate on.
                      Overrides hosts/@groups contained in the 'targets' file.
--update|-u         : apply SUDO controls locally
--version|-V        : show the script version/release/fix

Note 1: copy and apply actions are run in parallel across a maximum of clients
        at the same time [default: see MAX_BACKGROUND_PROCS setting]

Note 2: make sure correct 'sudo' rules are setup on the target systems to allow
        the SUDO controls script to run with elevated privileges.

Note 3: only GLOBAL configuration files will be distributed to target hosts.