[sudo] / doc / cvtsudoers.man.in

.\" Automatically generated from an mdoc input file.  Do not edit.
.\"
.\" Copyright (c) 2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "CVTSUDOERS" "1" "December 11, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
\fBcvtsudoers\fR
\- convert between sudoers file formats
.SH "SYNOPSIS"
.HP 11n
\fBcvtsudoers\fR
[\fB\-ehMpV\fR]
[\fB\-b\fR\ \fIdn\fR]
[\fB\-c\fR\ \fIconf_file\fR]
[\fB\-d\fR\ \fIdeftypes\fR]
[\fB\-f\fR\ \fIoutput_format\fR]
[\fB\-i\fR\ \fIinput_format\fR]
[\fB\-I\fR\ \fIincrement\fR]
[\fB\-m\fR\ \fIfilter\fR]
[\fB\-o\fR\ \fIoutput_file\fR]
[\fB\-O\fR\ \fIstart_point\fR]
[\fB\-P\fR\ \fIpadding\fR]
[\fB\-s\fR\ \fIsections\fR]
[\fIinput_file\fR]
.SH "DESCRIPTION"
\fBcvtsudoers\fR
can be used to convert between
\fIsudoers\fR
security policy file formats.
The default input format is sudoers.
The default output format is LDIF.
It is only possible to convert a
\fIsudoers\fR
file that is syntactically correct.
.PP
If no
\fIinput_file\fR
is specified, or if it is
\(oq-\(cq,
the policy is read from the standard input.
By default, the result is written to the standard output.
.PP
The options are as follows:
.TP 12n
\fB\-b\fR \fIdn\fR, \fB\--base\fR=\fIdn\fR
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
If this option is not specified, the value of the
\fRSUDOERS_BASE\fR
environment variable will be used instead.
Only necessary when converting to LDIF format.
.TP 12n
\fB\-c\fR \fIconf_file\fR, \fB\--config\fR=\fIconf_file\fR
Specify the path to the configuration file.
Defaults to
\fI@sysconfdir@/cvtsudoers.conf\fR.
.TP 12n
\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
Only convert
\fRDefaults\fR
entries of the specified types.
One or more
\fRDefaults\fR
types may be specified, separated by a comma
(\(oq\&,\(cq).
The supported types are:
.PP
.RS 12n
.PD 0
.TP 10n
all
All Defaults entries.
.PD
.TP 10n
global
Global Defaults entries that are applied regardless of
user, runas, host or command.
.TP 10n
user
Per-user Defaults entries.
.TP 10n
runas
Per-runas user Defaults entries.
.TP 10n
host
Per-host Defaults entries.
.TP 10n
command
Per-command Defaults entries.
.PP
See the
\fBDefaults\fR
section in
sudoers(@mansectform@)
for more information.
.sp
If the
\fB\-d\fR
option is not specified, all
\fRDefaults\fR
entries will be converted.
.RE
.TP 12n
\fB\-e\fR, \fB\--expand-aliases\fR
Expand aliases in
\fIinput_file\fR.
Aliases are preserved by default when the output
\fIformat\fR
is JSON or sudoers.
.TP 12n
\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
Specify the output format (case-insensitive).
The following formats are supported:
.PP
.RS 12n
.PD 0
.TP 10n
JSON
JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional
\fIsudoers\fR
format.
The various values have explicit types which removes much of the
ambiguity of the
\fIsudoers\fR
format.
.PD
.TP 10n
LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with
sudoers.ldap(@mansectform@).
.sp
Conversion to LDIF has the following limitations:
.PP
.RS 10n
.PD 0
.TP 3n
\fB\(bu\fR
Command, host, runas and user-specific Defaults lines cannot be
translated as they don't have an equivalent in the sudoers LDAP schema.
.PD
.TP 3n
\fB\(bu\fR
Command, host, runas and user aliases are not supported by the
sudoers LDAP schema so they are expanded during the conversion.
.PD 0
.PP
.RE
.PD
.TP 10n
sudoers
Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file.
Comments are not preserved and data from any include files will be
output inline.
.PD 0
.PP
.RE
.PD
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-i\fR \fIinput_format\fR, \fB\--input-format\fR=\fIinput_format\fR
Specify the input format.
The following formats are supported:
.PP
.RS 12n
.PD 0
.TP 10n
LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
sudoers.ldap(@mansectform@).
If a base DN (distinguished name) is specified, only sudoRole objects
that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format.
.PD
.TP 10n
sudoers
Traditional sudoers format.
This is the default input format.
.PD 0
.PP
.RE
.PD
.TP 12n
\fB\-I\fR \fIincrement\fR, \fB\--increment\fR=\fIincrement\fR
When generating LDIF output, increment each sudoOrder attribute by
the specified number.
Defaults to an increment of 1.
.TP 12n
\fB\-m\fR \fIfilter\fR, \fB\--match\fR=\fIfilter\fR
Only output rules that match the specified
\fIfilter\fR.
A
\fIfilter\fR
expression is made up of one or more
\fBkey =\fR \fIvalue\fR
pairs, separated by a comma
(\(oq\&,\(cq).
The
\fBkey\fR
may be
\(lquser\(rq,
\(lqgroup\(rq
or
\(lqhost\(rq.
For example,
\fBuser\fR = \fIoperator\fR
or
\fBhost\fR = \fIwww\fR.
An upper-case User_Alias or Host_Alias may be specified as the
\(lquser\(rq
or
\(lqhost\(rq.
.sp
A matching
\fIsudoers\fR
rule may also include users, groups and hosts that are not part of the
\fIfilter\fR.
This can happen when a rule includes multiple users, groups or hosts.
To prune out any non-matching user, group or host from the rules, the
\fB\-p\fR
option may be used.
.sp
By default, the password and group databases are not consulted when matching
against the filter so the users and groups do not need to be present
on the local system (see the
\fB\-M\fR
option).
Only aliases that are referenced by the filtered policy rules will
be displayed.
.TP 12n
\fB\-M\fR, \fB\--match-local\fR
When the
\fB\-m\fR
option is also specified, use password and group database information
when matching users and groups in the filter.
Only users and groups in the filter that exist on the local system will match,
and a user's groups will automatically be added to the filter.
If the
\fB\-M\fR
is
\fInot\fR
specified, users and groups in the filter do not need to exist on the
local system, but all groups used for matching must be explicitly listed
in the filter.
.TP 12n
\fB\-o\fR \fIoutput_file\fR, \fB\--output\fR=\fIoutput_file\fR
Write the converted output to
\fIoutput_file\fR.
If no
\fIoutput_file\fR
is specified, or if it is
\(oq-\(cq,
the converted
\fIsudoers\fR
policy will be written to the standard output.
.TP 12n
\fB\-O\fR \fIstart_point\fR, \fB\--order-start\fR=\fIstart_point\fR
When generating LDIF output, use the number specified by
\fIstart_point\fR
in the sudoOrder attribute of the first sudoRole object.
Subsequent sudoRole object use a sudoOrder value generated by adding an
\fIincrement\fR,
see the
\fB\-I\fR
option for details.
Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file.
.TP 12n
\fB\-p\fR, \fB\--prune-matches\fR
When the
\fB\-m\fR
option is also specified,
\fBcvtsudoers\fR
will prune out non-matching users, groups and hosts from
matching entries.
.TP 12n
\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
When generating LDIF output, construct the initial sudoOrder value by
concatenating
\fIorder_start\fR
and
\fIincrement\fR,
padding the
\fIincrement\fR
with zeros until it consists of
\fIpadding\fR
digits.
For example, if
\fIorder_start\fR
is 1027,
\fIpadding\fR
is 3, and
\fIincrement\fR
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
\fBcvtsudoers\fR
will exit with an error.
By default, no padding is performed.
.TP 12n
\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
Suppress the output of specific
\fIsections\fR
of the security policy.
One or more section names may be specified, separated by a comma
(\(oq\&,\(cq).
The supported section name are:
\fBdefaults\fR,
\fBaliases\fR
and
\fBprivileges\fR
(which may be shortened to
\fBprivs\fR).
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBcvtsudoers\fR
and
\fIsudoers\fR
grammar versions and exit.
.PP
Options in the form
\(lqkeyword = value\(rq
may also be specified in a configuration file,
\fI@sysconfdir@/cvtsudoers.conf\fR
by default.
The following keywords are recognized:
.TP 6n
\fBdefaults =\fR \fIdeftypes\fR
See the description of the
\fB\-d\fR
command line option.
.TP 6n
\fBexpand_aliases =\fR \fIyes\fR | \fIno\fR
See the description of the
\fB\-e\fR
command line option.
.TP 6n
\fBinput_format =\fR \fIldif\fR | \fIsudoers\fR
See the description of the
\fB\-i\fR
command line option.
.TP 6n
\fBmatch =\fR \fIfilter\fR
See the description of the
\fB\-m\fR
command line option.
.TP 6n
\fBorder_increment =\fR \fIincrement\fR
See the description of the
\fB\-I\fR
command line option.
.TP 6n
\fBorder_start =\fR \fIstart_point\fR
See the description of the
\fB\-O\fR
command line option.
.TP 6n
\fBoutput_format =\fR \fIjson\fR | \fIldif\fR | \fIsudoers\fR
See the description of the
\fB\-f\fR
command line option.
.TP 6n
\fBpadding =\fR \fIpadding\fR
See the description of the
\fB\-P\fR
command line option.
.TP 6n
\fBprune_matches =\fR \fIyes\fR | \fIno\fR
See the description of the
\fB\-p\fR
command line option.
.TP 6n
\fBsudoers_base =\fR \fIdn\fR
See the description of the
\fB\-b\fR
command line option.
.TP 6n
\fBsuppress =\fR \fIsections\fR
See the description of the
\fB\-s\fR
command line option.
.PP
Options on the command line will override values from the
configuration file.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/cvtsudoers.conf\fR
default configuration for cvtsudoers
.SH "EXAMPLES"
Convert
\fI/etc/sudoers\fR
to LDIF (LDAP Data Interchange Format) where the
\fIldap.conf\fR
file uses a
\fIsudoers_base\fR
of my-domain,dc=com, storing the result in
\fIsudoers.ldif\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
             /etc/sudoers
.RE
.fi
.PP
Convert
\fI/etc/sudoers\fR
to JSON format, storing the result in
\fIsudoers.json\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.RE
.fi
.PP
Parse
\fI/etc/sudoers\fR
and display only rules that match user
\fIambrose\fR
on host
\fIhastur\fR:
.nf
.sp
.RS 6n
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
.PP
Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.nf
.sp
.RS 6n
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
.PP
Convert
\fIsudoers.ldif\fR
from LDIF to traditional
\fIsudoers\fR
format:
.nf
.sp
.RS 6n
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.RE
.fi
.SH "SEE ALSO"
sudoers(@mansectform@),
sudoers.ldap(@mansectform@),
sudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBcvtsudoers\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBcvtsudoers\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.