1 .\" Automatically generated from an mdoc input file. Do not edit.
3 .\" Copyright (c) 2018 Todd C. Miller <Todd.Miller@sudo.ws>
5 .\" Permission to use, copy, modify, and distribute this software for any
6 .\" purpose with or without fee is hereby granted, provided that the above
7 .\" copyright notice and this permission notice appear in all copies.
9 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 .TH "CVTSUDOERS" "1" "December 11, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
22 \- convert between sudoers file formats
28 [\fB\-c\fR\ \fIconf_file\fR]
29 [\fB\-d\fR\ \fIdeftypes\fR]
30 [\fB\-f\fR\ \fIoutput_format\fR]
31 [\fB\-i\fR\ \fIinput_format\fR]
32 [\fB\-I\fR\ \fIincrement\fR]
33 [\fB\-m\fR\ \fIfilter\fR]
34 [\fB\-o\fR\ \fIoutput_file\fR]
35 [\fB\-O\fR\ \fIstart_point\fR]
36 [\fB\-P\fR\ \fIpadding\fR]
37 [\fB\-s\fR\ \fIsections\fR]
41 can be used to convert between
43 security policy file formats.
44 The default input format is sudoers.
45 The default output format is LDIF.
46 It is only possible to convert a
48 file that is syntactically correct.
52 is specified, or if it is
54 the policy is read from the standard input.
55 By default, the result is written to the standard output.
57 The options are as follows:
59 \fB\-b\fR \fIdn\fR, \fB\--base\fR=\fIdn\fR
60 The base DN (distinguished name) that will be used when performing
62 Typically this is of the form
63 \fRou=SUDOers,dc=my-domain,dc=com\fR
66 If this option is not specified, the value of the
68 environment variable will be used instead.
69 Only necessary when converting to LDIF format.
71 \fB\-c\fR \fIconf_file\fR, \fB\--config\fR=\fIconf_file\fR
72 Specify the path to the configuration file.
74 \fI@sysconfdir@/cvtsudoers.conf\fR.
76 \fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
79 entries of the specified types.
82 types may be specified, separated by a comma
84 The supported types are:
94 Global Defaults entries that are applied regardless of
95 user, runas, host or command.
98 Per-user Defaults entries.
101 Per-runas user Defaults entries.
104 Per-host Defaults entries.
107 Per-command Defaults entries.
112 sudoers(@mansectform@)
113 for more information.
117 option is not specified, all
119 entries will be converted.
122 \fB\-e\fR, \fB\--expand-aliases\fR
125 Aliases are preserved by default when the output
129 \fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
130 Specify the output format (case-insensitive).
131 The following formats are supported:
137 JSON (JavaScript Object Notation) files are usually easier for
138 third-party applications to consume than the traditional
141 The various values have explicit types which removes much of the
148 LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
150 sudoers.ldap(@mansectform@).
152 Conversion to LDIF has the following limitations:
158 Command, host, runas and user-specific Defaults lines cannot be
159 translated as they don't have an equivalent in the sudoers LDAP schema.
163 Command, host, runas and user aliases are not supported by the
164 sudoers LDAP schema so they are expanded during the conversion.
171 Traditional sudoers format.
172 A new sudoers file will be reconstructed from the parsed input file.
173 Comments are not preserved and data from any include files will be
180 \fB\-h\fR, \fB\--help\fR
181 Display a short help message to the standard output and exit.
183 \fB\-i\fR \fIinput_format\fR, \fB\--input-format\fR=\fIinput_format\fR
184 Specify the input format.
185 The following formats are supported:
191 LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
192 server to convert security policies used by
193 sudoers.ldap(@mansectform@).
194 If a base DN (distinguished name) is specified, only sudoRole objects
195 that match the base DN will be processed.
196 Not all sudoOptions specified in a sudoRole can be translated from
197 LDIF to sudoers format.
201 Traditional sudoers format.
202 This is the default input format.
208 \fB\-I\fR \fIincrement\fR, \fB\--increment\fR=\fIincrement\fR
209 When generating LDIF output, increment each sudoOrder attribute by
210 the specified number.
211 Defaults to an increment of 1.
213 \fB\-m\fR \fIfilter\fR, \fB\--match\fR=\fIfilter\fR
214 Only output rules that match the specified
218 expression is made up of one or more
219 \fBkey =\fR \fIvalue\fR
220 pairs, separated by a comma
230 \fBuser\fR = \fIoperator\fR
232 \fBhost\fR = \fIwww\fR.
233 An upper-case User_Alias or Host_Alias may be specified as the
240 rule may also include users, groups and hosts that are not part of the
242 This can happen when a rule includes multiple users, groups or hosts.
243 To prune out any non-matching user, group or host from the rules, the
247 By default, the password and group databases are not consulted when matching
248 against the filter so the users and groups do not need to be present
249 on the local system (see the
252 Only aliases that are referenced by the filtered policy rules will
255 \fB\-M\fR, \fB\--match-local\fR
258 option is also specified, use password and group database information
259 when matching users and groups in the filter.
260 Only users and groups in the filter that exist on the local system will match,
261 and a user's groups will automatically be added to the filter.
266 specified, users and groups in the filter do not need to exist on the
267 local system, but all groups used for matching must be explicitly listed
270 \fB\-o\fR \fIoutput_file\fR, \fB\--output\fR=\fIoutput_file\fR
271 Write the converted output to
275 is specified, or if it is
279 policy will be written to the standard output.
281 \fB\-O\fR \fIstart_point\fR, \fB\--order-start\fR=\fIstart_point\fR
282 When generating LDIF output, use the number specified by
284 in the sudoOrder attribute of the first sudoRole object.
285 Subsequent sudoRole object use a sudoOrder value generated by adding an
290 Defaults to a starting point of 1.
291 A starting point of 0 will disable the generation of sudoOrder
292 attributes in the resulting LDIF file.
294 \fB\-p\fR, \fB\--prune-matches\fR
297 option is also specified,
299 will prune out non-matching users, groups and hosts from
302 \fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
303 When generating LDIF output, construct the initial sudoOrder value by
310 with zeros until it consists of
319 is 1, the value of sudoOrder for the first entry will be 1027000,
320 followed by 1027001, 1027002, etc.
321 If the number of sudoRole entries is larger than the padding would allow,
323 will exit with an error.
324 By default, no padding is performed.
326 \fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
327 Suppress the output of specific
329 of the security policy.
330 One or more section names may be specified, separated by a comma
332 The supported section name are:
337 (which may be shortened to
340 \fB\-V\fR, \fB\--version\fR
345 grammar versions and exit.
348 \(lqkeyword = value\(rq
349 may also be specified in a configuration file,
350 \fI@sysconfdir@/cvtsudoers.conf\fR
352 The following keywords are recognized:
354 \fBdefaults =\fR \fIdeftypes\fR
355 See the description of the
359 \fBexpand_aliases =\fR \fIyes\fR | \fIno\fR
360 See the description of the
364 \fBinput_format =\fR \fIldif\fR | \fIsudoers\fR
365 See the description of the
369 \fBmatch =\fR \fIfilter\fR
370 See the description of the
374 \fBorder_increment =\fR \fIincrement\fR
375 See the description of the
379 \fBorder_start =\fR \fIstart_point\fR
380 See the description of the
384 \fBoutput_format =\fR \fIjson\fR | \fIldif\fR | \fIsudoers\fR
385 See the description of the
389 \fBpadding =\fR \fIpadding\fR
390 See the description of the
394 \fBprune_matches =\fR \fIyes\fR | \fIno\fR
395 See the description of the
399 \fBsudoers_base =\fR \fIdn\fR
400 See the description of the
404 \fBsuppress =\fR \fIsections\fR
405 See the description of the
409 Options on the command line will override values from the
413 \fI@sysconfdir@/cvtsudoers.conf\fR
414 default configuration for cvtsudoers
418 to LDIF (LDAP Data Interchange Format) where the
422 of my-domain,dc=com, storing the result in
427 $ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
434 to JSON format, storing the result in
439 $ cvtsudoers -f json -o sudoers.json /etc/sudoers
445 and display only rules that match user
452 $ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
456 Same as above, but expand aliases and prune out any non-matching
457 users and hosts from the expanded entries.
461 $ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
467 from LDIF to traditional
473 $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
477 sudoers(@mansectform@),
478 sudoers.ldap(@mansectform@),
481 Many people have worked on
483 over the years; this version consists of code written primarily by:
489 See the CONTRIBUTORS file in the
491 distribution (https://www.sudo.ws/contributors.html) for an
492 exhaustive list of people who have contributed to
495 If you feel you have found a bug in
497 please submit a bug report at https://bugzilla.sudo.ws/
499 Limited free support is available via the sudo-users mailing list,
500 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
506 and any express or implied warranties, including, but not limited
507 to, the implied warranties of merchantability and fitness for a
508 particular purpose are disclaimed.
509 See the LICENSE file distributed with
511 or https://www.sudo.ws/license.html for complete details.