Update multiple sudoers file

sudo

We have multiple Linux servers that authenticate to an Active Directory Domain. For a group in AD, I want to add a list of commands that are allowed to run as root using sudo. I can obviously ssh-in to each computer and update sudoers file -but that will take some time. Also, root login is not allowed. So, password less logins will only work for non-root users.

Is there a quick way to update the sudoers file for each Linux computer at once? I am thinking of a Perl or Python script with some system administration abilities here.

Update: Thanks veroteq7 and Shane Madden. I had thought about deploying cfengine at one point- but we don't have it running currently. We have decided that using LDAP would be the best solution. I am getting an error importing the LDIF schema schema.ActiveDirectory for sudo. The error is "parameter is not correct" on line 144.

This is the content from line 144 onwards:

dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoCommand
mayContain: sudoHost
mayContain: sudoOption
mayContain: sudoRunAs
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoUser
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=X

The command that I used is:

ldifde -i -f schema.ActiveDirectory -c dc=X dc=DOMAINNAME,dc=LOCAL

Update2: I created a new question. Thanks everybody for suggestions.


Solution 1:

Why not scrap /etc/sudoers and use AD (LDAP) as your sudoers store? -- More info here.

You're already authenticating against AD, so this is just the next logical step, and gives you a convenient, centralized place to handle authentication and authorization.

Solution 2:

How about a configuration management tool? Puppet, Chef, CFEngine, etc?

Solution 3:

You can define groups in sudoers... and pull those groups from a central authentication repository... like Active Directory. I love putting domain admins in my sudoers file. Saves a lot of headaches.

Solution 4:

If you're searching for an API to modify your sudoers file, you can use Augeas with the Sudoers lens. It integrates nicely with Puppet, but you could also use it in a script of yours (there's many bindings).

See this answer for example.

Related

Flush-0:n processes causing massive bottleneck
Is it possible to deploy VMware vSphere 5.5 without Windows?
What OS would you use for a simple fileserver and why? [closed]
I'm trying to use "aws s3 sync" on my EC2 instance. Is the '--exclude' option broken?
How can I use the output of a command in cfengine3
debian 6 preseeding keeps asking "Write the changes to disks and configure LVM?"
Strongswan IKEv2 vpn on Windows 10 client "policy match error"
Is there anyway to get msiexec to echo to stdout instead of logging to a file
Application Event Log keeps getting corrupted
PHP-CGI Started Serving Blank Pages
Is mounting S3 buckets directly into EC2 instances safe?
Debian Jessie samba start on boot