From: Todd C. Miller Date: Wed, 28 Mar 2018 14:33:07 +0000 (-0600) Subject: Add -d option to control what type of Defaults entries are converted. X-Git-Tag: SUDO_1_8_23^2~54 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aa402cdc3cd92aa64b18884b05fee2567e104af1;p=sudo Add -d option to control what type of Defaults entries are converted. --- diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat index 172f1c3f2..14ce460dc 100644 --- a/doc/cvtsudoers.cat +++ b/doc/cvtsudoers.cat @@ -4,9 +4,10 @@ NNAAMMEE ccvvttssuuddooeerrss - convert between sudoers file formats SSYYNNOOPPSSIISS - ccvvttssuuddooeerrss [--eehhMMVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--ff _o_u_t_p_u_t___f_o_r_m_a_t] - [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] - [--OO _s_t_a_r_t___p_o_i_n_t] [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e] + ccvvttssuuddooeerrss [--eehhMMVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--dd _d_e_f_t_y_p_e_s] + [--ff _o_u_t_p_u_t___f_o_r_m_a_t] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] + [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] [--OO _s_t_a_r_t___p_o_i_n_t] [--ss _s_e_c_t_i_o_n_s] + [_i_n_p_u_t___f_i_l_e] DDEESSCCRRIIPPTTIIOONN ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file @@ -32,6 +33,26 @@ DDEESSCCRRIIPPTTIIOONN Specify the path to a configuration file. Defaults to _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f. + --dd _d_e_f_t_y_p_e_s, ----ddeeffaauullttss=_d_e_f_t_y_p_e_s + Only convert Defaults entries of the specified types. One or + more Defaults types may be specified, separated by a comma + (`,'). The supported types are: + + global Defaults entries that always match. + + user Per-user Defaults entries. + + runas Per-runas user Defaults entries. + + host Per-host Defaults entries. + + commands Per-command Defaults entries. + + See the DDeeffaauullttss section in sudoers(4) for more information. + + If the --dd option is not specified, all Defaults entries will + be converted. + --ee, ----eexxppaanndd--aalliiaasseess Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by default when the output _f_o_r_m_a_t is JSON or sudoers. @@ -193,4 +214,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.23 March 22, 2018 Sudo 1.8.23 +Sudo 1.8.23 March 28, 2018 Sudo 1.8.23 diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in index 116e00a35..360d95ed5 100644 --- a/doc/cvtsudoers.man.in +++ b/doc/cvtsudoers.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "CVTSUDOERS" "1" "March 22, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual" +.TH "CVTSUDOERS" "1" "March 28, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual" .nh .if n .ad l .SH "NAME" @@ -28,6 +28,7 @@ [\fB\-ehMV\fR] [\fB\-b\fR\ \fIdn\fR] [\fB\-c\fR\ \fIconf_file\fR] +[\fB\-d\fR\ \fIdeftypes\fR] [\fB\-f\fR\ \fIoutput_format\fR] [\fB\-i\fR\ \fIinput_format\fR] [\fB\-I\fR\ \fIincrement\fR] @@ -73,6 +74,48 @@ Specify the path to a configuration file. Defaults to \fI@sysconfdir@/cvtsudoers.conf\fR. .TP 12n +\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR +Only convert +\fRDefaults\fR +entries of the specified types. +One or more +\fRDefaults\fR +types may be specified, separated by a comma +(\(oq\&,\(cq). +The supported types are: +.PP +.RS 12n +.PD 0 +.TP 10n +global +Defaults entries that always match. +.PD +.TP 10n +user +Per-user Defaults entries. +.TP 10n +runas +Per-runas user Defaults entries. +.TP 10n +host +Per-host Defaults entries. +.TP 10n +commands +Per-command Defaults entries. +.PP +See the +\fBDefaults\fR +section in +sudoers(@mansectform@) +for more information. +.sp +If the +\fB\-d\fR +option is not specified, all +\fRDefaults\fR +entries will be converted. +.RE +.TP 12n \fB\-e\fR, \fB\--expand-aliases\fR Expand aliases in \fIinput_file\fR. diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in index a9415d600..c3571234e 100644 --- a/doc/cvtsudoers.mdoc.in +++ b/doc/cvtsudoers.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 22, 2018 +.Dd March 28, 2018 .Dt CVTSUDOERS 1 .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -25,6 +25,7 @@ .Op Fl ehMV .Op Fl b Ar dn .Op Fl c Ar conf_file +.Op Fl d Ar deftypes .Op Fl f Ar output_format .Op Fl i Ar input_format .Op Fl I Ar increment @@ -68,6 +69,39 @@ Only necessary when converting to LDIF format. Specify the path to a configuration file. Defaults to .Pa @sysconfdir@/cvtsudoers.conf . +.It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes +Only convert +.Li Defaults +entries of the specified types. +One or more +.Li Defaults +types may be specified, separated by a comma +.Pq Ql \&, . +The supported types are: +.Bl -tag -width 8n +.It global +Defaults entries that always match. +.It user +Per-user Defaults entries. +.It runas +Per-runas user Defaults entries. +.It host +Per-host Defaults entries. +.It commands +Per-command Defaults entries. +.El +.Pp +See the +.Sy Defaults +section in +.Xr sudoers @mansectform@ +for more information. +.Pp +If the +.Fl d +option is not specified, all +.Li Defaults +entries will be converted. .It Fl e , Fl -expand-aliases Expand aliases in .Ar input_file . diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c index 7ad26bbe3..208c1ce51 100644 --- a/plugins/sudoers/cvtsudoers.c +++ b/plugins/sudoers/cvtsudoers.c @@ -56,10 +56,11 @@ struct cvtsudoers_filter *filters; struct sudo_user sudo_user; struct passwd *list_pw; -static const char short_opts[] = "b:c:ef:hi:I:m:Mo:O:s:V"; +static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:s:V"; static struct option long_opts[] = { { "base", required_argument, NULL, 'b' }, { "config", required_argument, NULL, 'c' }, + { "defaults", required_argument, NULL, 'd' }, { "expand-aliases", no_argument, NULL, 'e' }, { "output-format", required_argument, NULL, 'f' }, { "help", no_argument, NULL, 'h' }, @@ -83,9 +84,10 @@ static bool cvtsudoers_parse_filter(char *expression); static bool alias_remove_unused(void); static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file); static void cvtsudoers_conf_free(struct cvtsudoers_config *conf); +static int cvtsudoers_parse_defaults(char *expression); static int cvtsudoers_parse_suppression(char *expression); static void filter_userspecs(void); -static void filter_defaults(void); +static void filter_defaults(struct cvtsudoers_config *conf); int main(int argc, char *argv[]) @@ -157,6 +159,11 @@ main(int argc, char *argv[]) case 'c': /* handled above */ break; + case 'd': + conf->defaults = cvtsudoers_parse_defaults(optarg); + if (conf->defaults == -1) + usage(1); + break; case 'e': conf->expand_aliases = true; break; @@ -304,13 +311,10 @@ main(int argc, char *argv[]) } /* Apply filters. */ - if (conf->filter != NULL) { - filter_userspecs(); - - filter_defaults(); - - alias_remove_unused(); - } + filter_userspecs(); + filter_defaults(conf); + if (filters != NULL || conf->defaults != CVT_DEFAULTS_ALL) + alias_remove_unused(); switch (output_format) { case format_json: @@ -454,6 +458,33 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf) debug_return; } +static int +cvtsudoers_parse_defaults(char *expression) +{ + char *last = NULL, *cp = expression; + int flags = 0; + debug_decl(cvtsudoers_parse_defaults, SUDOERS_DEBUG_UTIL) + + for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) { + if (strcasecmp(cp, "global") == 0) { + SET(flags, CVT_DEFAULTS_GLOBAL); + } else if (strcasecmp(cp, "user") == 0) { + SET(flags, CVT_DEFAULTS_USER); + } else if (strcasecmp(cp, "runas") == 0) { + SET(flags, CVT_DEFAULTS_RUNAS); + } else if (strcasecmp(cp, "host") == 0) { + SET(flags, CVT_DEFAULTS_HOST); + } else if (strcasecmp(cp, "command") == 0) { + SET(flags, CVT_DEFAULTS_CMND); + } else { + sudo_warnx(U_("invalid defaults type: %s"), cp); + debug_return_int(-1); + } + } + + debug_return_int(flags); +} + static int cvtsudoers_parse_suppression(char *expression) { @@ -770,6 +801,9 @@ filter_userspecs(void) struct privilege *priv, *next_priv; debug_decl(filter_userspecs, SUDOERS_DEBUG_UTIL) + if (filters == NULL) + debug_return; + /* * Does not currently prune out non-matching entries in the user or * host lists. It acts more like a grep than a true filter. @@ -800,33 +834,52 @@ filter_userspecs(void) * Apply filters to host/user-based Defaults, removing non-matching entries. */ static void -filter_defaults(void) +filter_defaults(struct cvtsudoers_config *conf) { struct defaults *def, *next; struct member_list *prev_binding = NULL; debug_decl(filter_defaults, SUDOERS_DEBUG_DEFAULTS) + if (filters == NULL && conf->defaults == CVT_DEFAULTS_ALL) + debug_return; + TAILQ_FOREACH_SAFE(def, &defaults, entries, next) { + bool keep = true; + switch (def->type) { + case DEFAULTS: + if (!ISSET(conf->defaults, CVT_DEFAULTS_GLOBAL)) + keep = false; + break; case DEFAULTS_USER: - if (!userlist_matches_filter(def->binding)) { - TAILQ_REMOVE(&defaults, def, entries); - free_default(def, &prev_binding); - } else { - prev_binding = def->binding; - } + if (!ISSET(conf->defaults, CVT_DEFAULTS_USER) || + !userlist_matches_filter(def->binding)) + keep = false; + break; + case DEFAULTS_RUNAS: + if (!ISSET(conf->defaults, CVT_DEFAULTS_RUNAS)) + keep = false; break; case DEFAULTS_HOST: - if (!hostlist_matches_filter(def->binding)) { - TAILQ_REMOVE(&defaults, def, entries); - free_default(def, &prev_binding); - } else { - prev_binding = def->binding; - } + if (!ISSET(conf->defaults, CVT_DEFAULTS_HOST) || + !hostlist_matches_filter(def->binding)) + keep = false; + break; + case DEFAULTS_CMND: + if (!ISSET(conf->defaults, CVT_DEFAULTS_RUNAS)) + keep = false; break; default: + sudo_fatalx_nodebug("unexpected defaults type %d", def->type); break; } + + if (!keep) { + TAILQ_REMOVE(&defaults, def, entries); + free_default(def, &prev_binding); + } else { + prev_binding = def->binding; + } } debug_return; } @@ -1023,9 +1076,9 @@ static void usage(int fatal) { (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMV] [-b dn] " - "[-c conf_file ] [-f output_format] [-i input_format] [-I increment] " - "[-m filter] [-o output_file] [-O start_point] [-s sections] " - "[input_file]\n", getprogname()); + "[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] " + "[-I increment] [-m filter] [-o output_file] [-O start_point] " + "[-s sections] [input_file]\n", getprogname()); if (fatal) exit(1); } @@ -1037,6 +1090,7 @@ help(void) usage(0); (void) puts(_("\nOptions:\n" " -b, --base=dn the base DN for sudo LDAP queries\n" + " -d, --defaults=deftypes only convert Defaults of the specified types\n" " -e, --expand-aliases expand aliases when converting\n" " -f, --output-format=format set output format: JSON, LDIF or sudoers\n" " -i, --input-format=format set input format: LDIF or sudoers\n" diff --git a/plugins/sudoers/cvtsudoers.h b/plugins/sudoers/cvtsudoers.h index 4ec4f3bf1..ed804565e 100644 --- a/plugins/sudoers/cvtsudoers.h +++ b/plugins/sudoers/cvtsudoers.h @@ -37,6 +37,14 @@ struct cvtsudoers_str_list { unsigned int refcnt; }; +/* Flags for cvtsudoers_config.defaults */ +#define CVT_DEFAULTS_GLOBAL 0x01 +#define CVT_DEFAULTS_USER 0x02 +#define CVT_DEFAULTS_RUNAS 0x04 +#define CVT_DEFAULTS_HOST 0x08 +#define CVT_DEFAULTS_CMND 0x10 +#define CVT_DEFAULTS_ALL 0xff + /* Flags for cvtsudoers_config.suppress */ #define SUPPRESS_DEFAULTS 0x01 #define SUPPRESS_ALIASES 0x02 @@ -50,13 +58,14 @@ struct cvtsudoers_config { char *filter; unsigned int sudo_order; unsigned int order_increment; - int suppress; + short defaults; + short suppress; bool expand_aliases; bool store_options; }; /* Initial config settings for above. */ -#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, 0, false, true } +#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, CVT_DEFAULTS_ALL, 0, false, true } #define CONF_BOOL 0 #define CONF_UINT 1