Sudoers Check

output

[-] root is allowed to execute all programs as any user.
[-] %sudo is allowed to execute all programs as any user.
[-] %admin is allowed to execute ALL with no password.
[*] alan is allowed to execute /bin/ls, /bin/kill on ALL  as root, bin : operator, system.

sudoers

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) NOPASSWD:ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
alan   ALL = (root, bin : operator, system) /bin/ls, /bin/kill

sudoers.py

#!/usr/bin/env Python3

import sys
import re

"""
The parser is based on the following information found here: 
https://unix.stackexchange.com/questions/18877/what-is-the-proper-sudoers-syntax-to-add-a-user

In the following sudo entry:

    superadm  ALL=(ALL)   ALL

there are four fields:

    * The first one specifies a user that will be granted privileges for some
      command(s).
    * The second one is rarely used. It's a list of hostnames on which this
      sudo entry will be effective. On standard setups only one host is
      relevant (localhost) so this field is usually left as ALL.
    * The fourth field is the list of commands superadm will be able to run
      with elevated privileges. ALL means all commands. Otherwise use a
      comma-separated list of commands.
    * The third field (the one written (…) that is optional) specifies which
      users (and groups) the superadm user will be able to run the following
      commands as. ALL means they can choose anything (unrestricted). If this
      field is omitted, it means the same as (root).

Example:

    alan   ALL = (root, bin : operator, system) /bin/ls, /bin/kill

Here, alan is allowed to run the two commands /bin/ls and /bin/kill as root
(or bin), possibly with additional operator or system groups privileges.
"""

sudo_re = re.compile(r'(.*?)\s+(.*)=\s*\((.*)\)\s+(.*)')


def process_line(line):
    """
    Process each line in the sudoers file.
    """
    m = sudo_re.match(line)
    if m is not None:
        analyze(m.group(1), m.group(2), m.group(3), m.group(4))


def analyze(ug, hosts, perms, progs):
    if 'NOPASSWD' in progs:
        print('[-] {0} is allowed to execute {1} with no password.'.format(
                ug, progs.split(':')[1]))

    elif ((perms == 'ALL') or (perms == 'ALL:ALL')) and ('ALL' in progs):
        print('[-] {0} is allowed to execute all programs as any user.'.format(ug))
    else:
        print('[*] {0} is allowed to execute {1} on {2} as {3}.'.format(ug, progs, hosts, perms))


if len(sys.argv) != 2:
    print('Usage: sudoers.py sudoers_file')
    sys.exit()

with open(sys.argv[1]) as f:
    for line in f:
        line = line.rstrip()

        if line == '':
            continue
        if line.startswith('#'):
            continue
        
        process_line(line)