When making changes to any of the standard SUDO Controls configuration files on the SUDO master:
/etc/sudo_master/grants
/etc/sudo_master/alias
/etc/sudo_master/targets
/etc/sudo_master/fragments.d/*
Make a backup copy first in the designated directory:
Previewing a change in grants and alias mappings
Making a change to the SUDO Controls configuration can have a large impact in terms of granted access on the client landscape. You can preview the potential effect of your change by requesting a full dump of the configured name space or access rules.
You can do this on the SUDO master server or any client with:
The info presented will be 2-element tuples showing: WHICH rules go WHERE:
By simply ‘grepping’ on the output you can apply filters.
Resolving (expanding) aliases
When using nested groups (aliases) it may be difficult to track what the alias will finally expand to. Use the --resolve-alias command-line option to manually request alias resolution.
Example alias file:
You can request manually resolution of @acme_hosts with:
Or the @acme_db alias:
Manually expanding aliases works on both master and client nodes.
Finding errors in --copy and --update operations
Since SUDO Controls will sync & update its clients in parallel via background jobs, it is not easy to always see a potential problem and correlate it to its correct host of origin.
Following command will siphon off the verbose output into a separate log file which can be used for inspection:
Then use following pattern to look for problems:
Fix any potential problems and clean up the temporary log file afterwards:
Alternatively you can also check the return code of the different sub-commands. Any return code different from 0 will be indicative of an error or errors:
Following WARning(s) may be ignored:
Other messages that may ignored are the ones caused by the sudo tool itself (locally on each client):
The following warning message indicates that the xauth utility is not installed on the client host:
Leave a comment