plugins/sudoers/regress/cvtsudoers/test3.sh
plugins/sudoers/regress/cvtsudoers/test30.out.ok
plugins/sudoers/regress/cvtsudoers/test30.sh
+plugins/sudoers/regress/cvtsudoers/test31.conf
+plugins/sudoers/regress/cvtsudoers/test31.out.ok
+plugins/sudoers/regress/cvtsudoers/test31.sh
+plugins/sudoers/regress/cvtsudoers/test32.out.ok
+plugins/sudoers/regress/cvtsudoers/test32.sh
plugins/sudoers/regress/cvtsudoers/test4.out.ok
plugins/sudoers/regress/cvtsudoers/test4.sh
plugins/sudoers/regress/cvtsudoers/test5.out.ok
out non-matching users, groups and hosts from matching
entries.
+ -\b-P\bP _\bp_\ba_\bd_\bd_\bi_\bn_\bg, -\b--\b-p\bpa\bad\bdd\bdi\bin\bng\bg=_\bp_\ba_\bd_\bd_\bi_\bn_\bg
+ When generating LDIF output, construct the initial sudoOrder
+ value by concatenating _\bo_\br_\bd_\be_\br_\b__\bs_\bt_\ba_\br_\bt and _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt, padding the
+ _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt with zeros until it consists of _\bp_\ba_\bd_\bd_\bi_\bn_\bg digits.
+ For example, if _\bo_\br_\bd_\be_\br_\b__\bs_\bt_\ba_\br_\bt is 1027, _\bp_\ba_\bd_\bd_\bi_\bn_\bg is 3, and
+ _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt is 1, the value of sudoOrder for the first entry
+ will be 1027000, followed by 1027001, 1027002, etc. If the
+ number of sudoRole entries is larger than the padding would
+ allow, c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs will exit with an error. By default, no
+ padding is performed.
+
-\b-s\bs _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs, -\b--\b-s\bsu\bup\bpp\bpr\bre\bes\bss\bs=_\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs
Suppress the output of specific _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs of the security
policy. One or more section names may be specified,
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.25 April 14, 2018 Sudo 1.8.25
+Sudo 1.8.26 October 24, 2018 Sudo 1.8.26
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "CVTSUDOERS" "1" "April 14, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "October 24, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
will prune out non-matching users, groups and hosts from
matching entries.
.TP 12n
+\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
+When generating LDIF output, construct the initial sudoOrder value by
+concatenating
+\fIorder_start\fR
+and
+\fIincrement\fR,
+padding the
+\fIincrement\fR
+with zeros until it consists of
+\fIpadding\fR
+digits.
+For example, if
+\fIorder_start\fR
+is 1027,
+\fIpadding\fR
+is 3, and
+\fIincrement\fR
+is 1, the value of sudoOrder for the first entry will be 1027000,
+followed by 1027001, 1027002, etc.
+If the number of sudoRole entries is larger than the padding would allow,
+\fBcvtsudoers\fR
+will exit with an error.
+By default, no padding is performed.
+.TP 12n
\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
Suppress the output of specific
\fIsections\fR
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd April 14, 2018
+.Dd October 24, 2018
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm
will prune out non-matching users, groups and hosts from
matching entries.
+.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
+When generating LDIF output, construct the initial sudoOrder value by
+concatenating
+.Ar order_start
+and
+.Ar increment ,
+padding the
+.Ar increment
+with zeros until it consists of
+.Ar padding
+digits.
+For example, if
+.Ar order_start
+is 1027,
+.Ar padding
+is 3, and
+.Ar increment
+is 1, the value of sudoOrder for the first entry will be 1027000,
+followed by 1027001, 1027002, etc.
+If the number of sudoRole entries is larger than the padding would allow,
+.Nm
+will exit with an error.
+By default, no padding is performed.
.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
Suppress the output of specific
.Ar sections
struct cvtsudoers_filter *filters;
struct sudo_user sudo_user;
struct passwd *list_pw;
-static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:ps:V";
+static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:pP:s:V";
static struct option long_opts[] = {
{ "base", required_argument, NULL, 'b' },
{ "config", required_argument, NULL, 'c' },
{ "match", required_argument, NULL, 'm' },
{ "match-local", no_argument, NULL, 'M' },
{ "prune-matches", no_argument, NULL, 'p' },
+ { "padding", required_argument, NULL, 'P' },
{ "order-start", required_argument, NULL, 'O' },
{ "output", required_argument, NULL, 'o' },
{ "suppress", required_argument, NULL, 's' },
case 'p':
conf->prune_matches = true;
break;
+ case 'P':
+ conf->order_padding = sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr != NULL ) {
+ sudo_warnx(U_("order padding: %s: %s"), optarg, U_(errstr));
+ usage(1);
+ }
+ break;
case 's':
conf->supstr = optarg;
break;
usage(1);
}
+ /* Apply padding to sudo_order if present. */
+ if (conf->sudo_order != 0 && conf->order_padding != 0) {
+ unsigned int multiplier = 1;
+
+ do {
+ multiplier *= 10;
+ } while (--conf->order_padding != 0);
+ conf->sudo_order *= multiplier;
+ conf->order_max = conf->sudo_order + (multiplier - 1);
+ conf->order_padding = multiplier;
+ }
+
/* If no base DN specified, check SUDOERS_BASE. */
if (conf->sudoers_base == NULL) {
conf->sudoers_base = getenv("SUDOERS_BASE");
static struct cvtsudoers_conf_table cvtsudoers_conf_vars[] = {
{ "order_start", CONF_UINT, &cvtsudoers_config.sudo_order },
{ "order_increment", CONF_UINT, &cvtsudoers_config.order_increment },
+ { "order_padding", CONF_UINT, &cvtsudoers_config.order_padding },
{ "sudoers_base", CONF_STR, &cvtsudoers_config.sudoers_base },
{ "input_format", CONF_STR, &cvtsudoers_config.input_format },
{ "output_format", CONF_STR, &cvtsudoers_config.output_format },
(void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMpV] [-b dn] "
"[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] "
"[-I increment] [-m filter] [-o output_file] [-O start_point] "
- "[-s sections] [input_file]\n", getprogname());
+ "[-P padding] [-s sections] [input_file]\n", getprogname());
if (fatal)
exit(1);
}
" -o, --output=output_file write converted sudoers to output_file\n"
" -O, --order-start=num starting point for first sudoOrder\n"
" -p, --prune-matches prune non-matching users, groups and hosts\n"
+ " -P, --padding=num base padding for sudoOrder increment\n"
" -s, --suppress=sections suppress output of certain sections\n"
" -V, --version display version information and exit"));
exit(0);
struct cvtsudoers_config {
unsigned int sudo_order;
unsigned int order_increment;
+ unsigned int order_padding;
+ unsigned int order_max;
short defaults;
short suppress;
bool expand_aliases;
};
/* Initial config settings for above. */
-#define INITIAL_CONFIG { 1, 1, CVT_DEFAULTS_ALL, 0, false, true, false }
+#define INITIAL_CONFIG { 1, 1, 0, 0, CVT_DEFAULTS_ALL, 0, false, true, false }
#define CONF_BOOL 0
#define CONF_UINT 1
if (conf->sudo_order != 0) {
char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2];
+ if (conf->order_max != 0 && conf->sudo_order > conf->order_max) {
+ sudo_fatalx(U_("too many sudoers entries, maximum %u"),
+ conf->order_padding);
+ }
(void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order);
print_attribute_ldif(fp, "sudoOrder", numbuf);
putc('\n', fp);
--- /dev/null
+defaults = all
+expand_aliases = no
+input_format = sudoers
+order_increment = 5
+order_padding = 2
+order_start = 1000
+output_format = ldif
+sudoers_base = ou=SUDOers,dc=my-domain,dc=com
+suppress = defaults
--- /dev/null
+dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: ALL
+sudoUser: ALL
+sudoHost: ALL
+sudoRunAsUser:
+sudoOption: !authenticate
+sudoCommand: /usr/bin/id
+sudoOrder: 100000
+
+dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: FULLTIMERS
+sudoUser: user1
+sudoUser: user2
+sudoUser: user3
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 100005
+
--- /dev/null
+#!/bin/sh
+#
+# Test cvtsudoers.conf with padding
+#
+
+exec 2>&1
+./cvtsudoers -c $TESTDIR/test31.conf <<EOF
+Defaults authenticate, timestamp_timeout=0
+User_Alias FULLTIMERS = user1, user2, user3
+
+ALL ALL = (:) NOPASSWD:/usr/bin/id
+FULLTIMERS ALL = (ALL:ALL) ALL
+EOF
--- /dev/null
+cvtsudoers: too many sudoers entries, maximum 10
+dn: cn=user0,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user0
+sudoUser: user0
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10000
+
+dn: cn=user1,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user1
+sudoUser: user1
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10001
+
+dn: cn=user2,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user2
+sudoUser: user2
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10002
+
+dn: cn=user3,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user3
+sudoUser: user3
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10003
+
+dn: cn=user4,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user4
+sudoUser: user4
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10004
+
+dn: cn=user5,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user5
+sudoUser: user5
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10005
+
+dn: cn=user6,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user6
+sudoUser: user6
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10006
+
+dn: cn=user7,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user7
+sudoUser: user7
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10007
+
+dn: cn=user8,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user8
+sudoUser: user8
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10008
+
+dn: cn=user9,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user9
+sudoUser: user9
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10009
+
+dn: cn=user10,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user10
+sudoUser: user10
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
--- /dev/null
+#!/bin/sh
+#
+# Test cvtsudoers.conf with invalid padding
+#
+
+exec 2>&1
+./cvtsudoers -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <<EOF
+user0 ALL = (ALL:ALL) ALL
+user1 ALL = (ALL:ALL) ALL
+user2 ALL = (ALL:ALL) ALL
+user3 ALL = (ALL:ALL) ALL
+user4 ALL = (ALL:ALL) ALL
+user5 ALL = (ALL:ALL) ALL
+user6 ALL = (ALL:ALL) ALL
+user7 ALL = (ALL:ALL) ALL
+user8 ALL = (ALL:ALL) ALL
+user9 ALL = (ALL:ALL) ALL
+user10 ALL = (ALL:ALL) ALL
+EOF
+
+exit 0