Add -d option to control what type of Defaults entries are converted.

diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
index 172f1c3f28616ac3aa27ffab5b21d25cd27701d0..14ce460dc3523c8d1dd67976f5b1a4d81394339a 100644 (file)
--- a/doc/cvtsudoers.cat
+++ b/doc/cvtsudoers.cat
@@ -4,9 +4,10 @@ N\bNA\bAM\bME\bE
      c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs - convert between sudoers file formats
 
 S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
-     c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs [-\b-e\beh\bhM\bMV\bV] [-\b-b\bb _\bd_\bn] [-\b-c\bc _\bc_\bo_\bn_\bf_\b__\bf_\bi_\bl_\be] [-\b-f\bf _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt]
-                [-\b-i\bi _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt] [-\b-I\bI _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt] [-\b-m\bm _\bf_\bi_\bl_\bt_\be_\br] [-\b-o\bo _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be]
-                [-\b-O\bO _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt] [-\b-s\bs _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs] [_\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be]
+     c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs [-\b-e\beh\bhM\bMV\bV] [-\b-b\bb _\bd_\bn] [-\b-c\bc _\bc_\bo_\bn_\bf_\b__\bf_\bi_\bl_\be] [-\b-d\bd _\bd_\be_\bf_\bt_\by_\bp_\be_\bs]
+                [-\b-f\bf _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt] [-\b-i\bi _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt] [-\b-I\bI _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt]
+                [-\b-m\bm _\bf_\bi_\bl_\bt_\be_\br] [-\b-o\bo _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be] [-\b-O\bO _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt] [-\b-s\bs _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs]
+                [_\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be]
 
 D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
      c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs can be used to convert between _\bs_\bu_\bd_\bo_\be_\br_\bs security policy file
@@ -32,6 +33,26 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
                  Specify the path to a configuration file.  Defaults to
                  _\b/_\be_\bt_\bc_\b/_\bc_\bv_\bt_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bc_\bo_\bn_\bf.
 
+     -\b-d\bd _\bd_\be_\bf_\bt_\by_\bp_\be_\bs, -\b--\b-d\bde\bef\bfa\bau\bul\blt\bts\bs=_\bd_\be_\bf_\bt_\by_\bp_\be_\bs
+                 Only convert Defaults entries of the specified types.  One or
+                 more Defaults types may be specified, separated by a comma
+                 (`,').  The supported types are:
+
+                 global    Defaults entries that always match.
+
+                 user      Per-user Defaults entries.
+
+                 runas     Per-runas user Defaults entries.
+
+                 host      Per-host Defaults entries.
+
+                 commands  Per-command Defaults entries.
+
+                 See the D\bDe\bef\bfa\bau\bul\blt\bts\bs section in sudoers(4) for more information.
+
+                 If the -\b-d\bd option is not specified, all Defaults entries will
+                 be converted.
+
      -\b-e\be, -\b--\b-e\bex\bxp\bpa\ban\bnd\bd-\b-a\bal\bli\bia\bas\bse\bes\bs
                  Expand aliases in _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be.  Aliases are preserved by
                  default when the output _\bf_\bo_\br_\bm_\ba_\bt is JSON or sudoers.
@@ -193,4 +214,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.23                     March 22, 2018                     Sudo 1.8.23
+Sudo 1.8.23                     March 28, 2018                     Sudo 1.8.23

diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
index 116e00a35edf8995df7d585279d53bcceb380d43..360d95ed5168674a27c10c12e4364200059bc9c7 100644 (file)
--- a/doc/cvtsudoers.man.in
+++ b/doc/cvtsudoers.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "CVTSUDOERS" "1" "March 22, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "March 28, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -28,6 +28,7 @@
 [\fB\-ehMV\fR]
 [\fB\-b\fR\ \fIdn\fR]
 [\fB\-c\fR\ \fIconf_file\fR]
+[\fB\-d\fR\ \fIdeftypes\fR]
 [\fB\-f\fR\ \fIoutput_format\fR]
 [\fB\-i\fR\ \fIinput_format\fR]
 [\fB\-I\fR\ \fIincrement\fR]
@@ -73,6 +74,48 @@ Specify the path to a configuration file.
 Defaults to
 \fI@sysconfdir@/cvtsudoers.conf\fR.
 .TP 12n
+\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
+Only convert
+\fRDefaults\fR
+entries of the specified types.
+One or more
+\fRDefaults\fR
+types may be specified, separated by a comma
+(\(oq\&,\(cq).
+The supported types are:
+.PP
+.RS 12n
+.PD 0
+.TP 10n
+global
+Defaults entries that always match.
+.PD
+.TP 10n
+user
+Per-user Defaults entries.
+.TP 10n
+runas
+Per-runas user Defaults entries.
+.TP 10n
+host
+Per-host Defaults entries.
+.TP 10n
+commands
+Per-command Defaults entries.
+.PP
+See the
+\fBDefaults\fR
+section in
+sudoers(@mansectform@)
+for more information.
+.sp
+If the
+\fB\-d\fR
+option is not specified, all
+\fRDefaults\fR
+entries will be converted.
+.RE
+.TP 12n
 \fB\-e\fR, \fB\--expand-aliases\fR
 Expand aliases in
 \fIinput_file\fR.

diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
index a9415d600a507898b1b22855b950d34d3f18471b..c3571234ebf50c4d32577abedd26075d192a91c9 100644 (file)
--- a/doc/cvtsudoers.mdoc.in
+++ b/doc/cvtsudoers.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 22, 2018
+.Dd March 28, 2018
 .Dt CVTSUDOERS 1
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -25,6 +25,7 @@
 .Op Fl ehMV
 .Op Fl b Ar dn
 .Op Fl c Ar conf_file
+.Op Fl d Ar deftypes
 .Op Fl f Ar output_format
 .Op Fl i Ar input_format
 .Op Fl I Ar increment
@@ -68,6 +69,39 @@ Only necessary when converting to LDIF format.
 Specify the path to a configuration file.
 Defaults to
 .Pa @sysconfdir@/cvtsudoers.conf .
+.It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes
+Only convert
+.Li Defaults
+entries of the specified types.
+One or more
+.Li Defaults
+types may be specified, separated by a comma
+.Pq Ql \&, .
+The supported types are:
+.Bl -tag -width 8n
+.It global
+Defaults entries that always match.
+.It user
+Per-user Defaults entries.
+.It runas
+Per-runas user Defaults entries.
+.It host
+Per-host Defaults entries.
+.It commands
+Per-command Defaults entries.
+.El
+.Pp
+See the
+.Sy Defaults
+section in
+.Xr sudoers @mansectform@
+for more information.
+.Pp
+If the
+.Fl d
+option is not specified, all
+.Li Defaults
+entries will be converted.
 .It Fl e , Fl -expand-aliases
 Expand aliases in
 .Ar input_file .

diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
index 7ad26bbe3d492413a6fc6f758096e582cac45ac0..208c1ce51503de92df89749ea7854ec68aa58f1d 100644 (file)
--- a/plugins/sudoers/cvtsudoers.c
+++ b/plugins/sudoers/cvtsudoers.c
@@ -56,10 +56,11 @@
 struct cvtsudoers_filter *filters;
 struct sudo_user sudo_user;
 struct passwd *list_pw;
-static const char short_opts[] =  "b:c:ef:hi:I:m:Mo:O:s:V";
+static const char short_opts[] =  "b:c:d:ef:hi:I:m:Mo:O:s:V";
 static struct option long_opts[] = {
     { "base",          required_argument,      NULL,   'b' },
     { "config",                required_argument,      NULL,   'c' },
+    { "defaults",      required_argument,      NULL,   'd' },
     { "expand-aliases",        no_argument,            NULL,   'e' },
     { "output-format", required_argument,      NULL,   'f' },
     { "help",          no_argument,            NULL,   'h' },
@@ -83,9 +84,10 @@ static bool cvtsudoers_parse_filter(char *expression);
 static bool alias_remove_unused(void);
 static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file);
 static void cvtsudoers_conf_free(struct cvtsudoers_config *conf);
+static int cvtsudoers_parse_defaults(char *expression);
 static int cvtsudoers_parse_suppression(char *expression);
 static void filter_userspecs(void);
-static void filter_defaults(void);
+static void filter_defaults(struct cvtsudoers_config *conf);
 
 int
 main(int argc, char *argv[])
@@ -157,6 +159,11 @@ main(int argc, char *argv[])
        case 'c':
            /* handled above */
            break;
+       case 'd':
+           conf->defaults = cvtsudoers_parse_defaults(optarg);
+           if (conf->defaults == -1)
+               usage(1);
+           break;
        case 'e':
            conf->expand_aliases = true;
            break;
@@ -304,13 +311,10 @@ main(int argc, char *argv[])
     }
 
     /* Apply filters. */
-    if (conf->filter != NULL) {
-           filter_userspecs();
-
-           filter_defaults();
-
-           alias_remove_unused();
-    }
+    filter_userspecs();
+    filter_defaults(conf);
+    if (filters != NULL || conf->defaults != CVT_DEFAULTS_ALL)
+       alias_remove_unused();
 
     switch (output_format) {
     case format_json:
@@ -454,6 +458,33 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf)
     debug_return;
 }
 
+static int
+cvtsudoers_parse_defaults(char *expression)
+{
+    char *last = NULL, *cp = expression;
+    int flags = 0;
+    debug_decl(cvtsudoers_parse_defaults, SUDOERS_DEBUG_UTIL)
+
+    for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
+       if (strcasecmp(cp, "global") == 0) {
+           SET(flags, CVT_DEFAULTS_GLOBAL);
+       } else if (strcasecmp(cp, "user") == 0) {
+           SET(flags, CVT_DEFAULTS_USER);
+       } else if (strcasecmp(cp, "runas") == 0) {
+           SET(flags, CVT_DEFAULTS_RUNAS);
+       } else if (strcasecmp(cp, "host") == 0) {
+           SET(flags, CVT_DEFAULTS_HOST);
+       } else if (strcasecmp(cp, "command") == 0) {
+           SET(flags, CVT_DEFAULTS_CMND);
+       } else {
+           sudo_warnx(U_("invalid defaults type: %s"), cp);
+           debug_return_int(-1);
+       }
+    }
+
+    debug_return_int(flags);
+}
+
 static int
 cvtsudoers_parse_suppression(char *expression)
 {
@@ -770,6 +801,9 @@ filter_userspecs(void)
     struct privilege *priv, *next_priv;
     debug_decl(filter_userspecs, SUDOERS_DEBUG_UTIL)
 
+    if (filters == NULL)
+       debug_return;
+
     /*
      * Does not currently prune out non-matching entries in the user or
      * host lists.  It acts more like a grep than a true filter.
@@ -800,33 +834,52 @@ filter_userspecs(void)
  * Apply filters to host/user-based Defaults, removing non-matching entries.
  */
 static void
-filter_defaults(void)
+filter_defaults(struct cvtsudoers_config *conf)
 {
     struct defaults *def, *next;
     struct member_list *prev_binding = NULL;
     debug_decl(filter_defaults, SUDOERS_DEBUG_DEFAULTS)
 
+    if (filters == NULL && conf->defaults == CVT_DEFAULTS_ALL)
+       debug_return;
+
     TAILQ_FOREACH_SAFE(def, &defaults, entries, next) {
+       bool keep = true;
+
        switch (def->type) {
+       case DEFAULTS:
+           if (!ISSET(conf->defaults, CVT_DEFAULTS_GLOBAL))
+               keep = false;
+           break;
        case DEFAULTS_USER:
-           if (!userlist_matches_filter(def->binding)) {
-               TAILQ_REMOVE(&defaults, def, entries);
-               free_default(def, &prev_binding);
-           } else {
-               prev_binding = def->binding;
-           }
+           if (!ISSET(conf->defaults, CVT_DEFAULTS_USER) ||
+               !userlist_matches_filter(def->binding))
+               keep = false;
+           break;
+       case DEFAULTS_RUNAS:
+           if (!ISSET(conf->defaults, CVT_DEFAULTS_RUNAS))
+               keep = false;
            break;
        case DEFAULTS_HOST:
-           if (!hostlist_matches_filter(def->binding)) {
-               TAILQ_REMOVE(&defaults, def, entries);
-               free_default(def, &prev_binding);
-           } else {
-               prev_binding = def->binding;
-           }
+           if (!ISSET(conf->defaults, CVT_DEFAULTS_HOST) ||
+               !hostlist_matches_filter(def->binding))
+               keep = false;
+           break;
+       case DEFAULTS_CMND:
+           if (!ISSET(conf->defaults, CVT_DEFAULTS_RUNAS))
+               keep = false;
            break;
        default:
+           sudo_fatalx_nodebug("unexpected defaults type %d", def->type);
            break;
        }
+
+       if (!keep) {
+           TAILQ_REMOVE(&defaults, def, entries);
+           free_default(def, &prev_binding);
+       } else {
+           prev_binding = def->binding;
+       }
     }
     debug_return;
 }
@@ -1023,9 +1076,9 @@ static void
 usage(int fatal)
 {
     (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMV] [-b dn] "
-       "[-c conf_file ] [-f output_format] [-i input_format] [-I increment] "
-       "[-m filter] [-o output_file] [-O start_point] [-s sections] "
-       "[input_file]\n", getprogname());
+       "[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] "
+       "[-I increment] [-m filter] [-o output_file] [-O start_point] "
+       "[-s sections] [input_file]\n", getprogname());
     if (fatal)
        exit(1);
 }
@@ -1037,6 +1090,7 @@ help(void)
     usage(0);
     (void) puts(_("\nOptions:\n"
        "  -b, --base=dn              the base DN for sudo LDAP queries\n"
+       "  -d, --defaults=deftypes    only convert Defaults of the specified types\n"
        "  -e, --expand-aliases       expand aliases when converting\n"
        "  -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
        "  -i, --input-format=format  set input format: LDIF or sudoers\n"

diff --git a/plugins/sudoers/cvtsudoers.h b/plugins/sudoers/cvtsudoers.h
index 4ec4f3bf178253c1e80aa205adf58790ddf72e79..ed804565e66e5a3af60e0519616486dafdd8a5f1 100644 (file)
--- a/plugins/sudoers/cvtsudoers.h
+++ b/plugins/sudoers/cvtsudoers.h
@@ -37,6 +37,14 @@ struct cvtsudoers_str_list {
     unsigned int refcnt;
 };
 
+/* Flags for cvtsudoers_config.defaults */
+#define CVT_DEFAULTS_GLOBAL    0x01
+#define CVT_DEFAULTS_USER      0x02
+#define CVT_DEFAULTS_RUNAS     0x04
+#define CVT_DEFAULTS_HOST      0x08
+#define CVT_DEFAULTS_CMND      0x10
+#define CVT_DEFAULTS_ALL       0xff
+
 /* Flags for cvtsudoers_config.suppress */
 #define SUPPRESS_DEFAULTS      0x01
 #define SUPPRESS_ALIASES       0x02
@@ -50,13 +58,14 @@ struct cvtsudoers_config {
     char *filter;
     unsigned int sudo_order;
     unsigned int order_increment;
-    int suppress;
+    short defaults;
+    short suppress;
     bool expand_aliases;
     bool store_options;
 };
 
 /* Initial config settings for above. */
-#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, 0, false, true }
+#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, CVT_DEFAULTS_ALL, 0, false, true }
 
 #define CONF_BOOL      0
 #define CONF_UINT      1