From 8a237eb07d5b761ba0d9ddd15837c7a48ea56875 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 22 Mar 2018 11:38:39 -0600 Subject: [PATCH] Add cvtsudoers command line option to suppress certain parts of the security policy. Can be used to suppress displaying of Defaults entries, aliases or privileges. --- doc/cvtsudoers.cat | 11 +++++- doc/cvtsudoers.man.in | 17 ++++++++- doc/cvtsudoers.mdoc.in | 16 +++++++- plugins/sudoers/cvtsudoers.c | 63 ++++++++++++++++++++++++------- plugins/sudoers/cvtsudoers.h | 8 +++- plugins/sudoers/cvtsudoers_json.c | 12 ++++-- plugins/sudoers/cvtsudoers_ldif.c | 6 ++- 7 files changed, 110 insertions(+), 23 deletions(-) diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat index e6361f58c..eec3a9174 100644 --- a/doc/cvtsudoers.cat +++ b/doc/cvtsudoers.cat @@ -6,7 +6,7 @@ NNAAMMEE SSYYNNOOPPSSIISS ccvvttssuuddooeerrss [--eehhVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--ff _o_u_t_p_u_t___f_o_r_m_a_t] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] - [--OO _s_t_a_r_t___p_o_i_n_t] [_i_n_p_u_t___f_i_l_e] + [--OO _s_t_a_r_t___p_o_i_n_t] [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e] DDEESSCCRRIIPPTTIIOONN ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file @@ -113,6 +113,13 @@ DDEESSCCRRIIPPTTIIOONN point of 0 will disable the generation of sudoOrder attributes in the resulting LDIF file. + --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s + Suppress the output of specific _s_e_c_t_i_o_n_s of the security + policy. One or more section names may be specified, + separated by a comma (`,'). The supported section name are: + ddeeffaauullttss, aalliiaasseess and pprriivviilleeggeess (which may be shortened to + pprriivvss). + --VV, ----vveerrssiioonn Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit. @@ -176,4 +183,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 +Sudo 1.8.23 March 22, 2018 Sudo 1.8.23 diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in index 599f64e9d..f08e7e328 100644 --- a/doc/cvtsudoers.man.in +++ b/doc/cvtsudoers.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "CVTSUDOERS" "8" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "CVTSUDOERS" "8" "March 22, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -34,6 +34,7 @@ [\fB\-m\fR\ \fIfilter\fR] [\fB\-o\fR\ \fIoutput_file\fR] [\fB\-O\fR\ \fIstart_point\fR] +[\fB\-s\fR\ \fIsections\fR] [\fIinput_file\fR] .SH "DESCRIPTION" \fBcvtsudoers\fR @@ -214,6 +215,20 @@ Defaults to a starting point of 1. A starting point of 0 will disable the generation of sudoOrder attributes in the resulting LDIF file. .TP 12n +\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR +Suppress the output of specific +\fIsections\fR +of the security policy. +One or more section names may be specified, separated by a comma +(\(oq\&,\(cq). +The supported section name are: +\fBdefaults\fR, +\fBaliases\fR +and +\fBprivileges\fR +(which may be shortened to +\fBprivs\fR). +.TP 12n \fB\-V\fR, \fB\--version\fR Print the \fBcvtsudoers\fR diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in index 81e492c1d..ce1e5630e 100644 --- a/doc/cvtsudoers.mdoc.in +++ b/doc/cvtsudoers.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 21, 2018 +.Dd March 22, 2018 .Dt CVTSUDOERS @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -31,6 +31,7 @@ .Op Fl m Ar filter .Op Fl o Ar output_file .Op Fl O Ar start_point +.Op Fl s Ar sections .Op Ar input_file .Sh DESCRIPTION .Nm @@ -176,6 +177,19 @@ option for details. Defaults to a starting point of 1. A starting point of 0 will disable the generation of sudoOrder attributes in the resulting LDIF file. +.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections +Suppress the output of specific +.Ar sections +of the security policy. +One or more section names may be specified, separated by a comma +.Pq Ql \&, . +The supported section name are: +.Sy defaults , +.Sy aliases +and +.Sy privileges +(which may be shortened to +.Sy privs ) . .It Fl V , -version Print the .Nm diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c index c61d09073..4cd556252 100644 --- a/plugins/sudoers/cvtsudoers.c +++ b/plugins/sudoers/cvtsudoers.c @@ -56,7 +56,7 @@ struct cvtsudoers_filter *filters; struct sudo_user sudo_user; struct passwd *list_pw; -static const char short_opts[] = "b:c:ef:hi:I:m:o:O:V"; +static const char short_opts[] = "b:c:ef:hi:I:m:o:O:s:V"; static struct option long_opts[] = { { "base", required_argument, NULL, 'b' }, { "config", required_argument, NULL, 'c' }, @@ -68,6 +68,7 @@ static struct option long_opts[] = { { "match", required_argument, NULL, 'm' }, { "order-start", required_argument, NULL, 'O' }, { "output", required_argument, NULL, 'o' }, + { "suppress", required_argument, NULL, 's' }, { "version", no_argument, NULL, 'V' }, { NULL, no_argument, NULL, '\0' }, }; @@ -81,6 +82,7 @@ static bool cvtsudoers_parse_filter(char *expression); static bool alias_remove_unused(void); static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file); static void cvtsudoers_conf_free(struct cvtsudoers_config *conf); +static int cvtsudoers_parse_suppression(char *expression); static void filter_userspecs(void); static void filter_defaults(void); @@ -195,6 +197,11 @@ main(int argc, char *argv[]) usage(1); } break; + case 's': + conf->suppress = cvtsudoers_parse_suppression(optarg); + if (conf->suppress == -1) + usage(1); + break; case 'V': (void) printf(_("%s version %s\n"), getprogname(), PACKAGE_VERSION); @@ -436,6 +443,29 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf) debug_return; } +static int +cvtsudoers_parse_suppression(char *expression) +{ + char *last = NULL, *cp = expression; + int flags = 0; + debug_decl(cvtsudoers_parse_suppression, SUDOERS_DEBUG_UTIL) + + for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) { + if (strcasecmp(cp, "defaults") == 0) { + SET(flags, SUPPRESS_DEFAULTS); + } else if (strcasecmp(cp, "aliases") == 0) { + SET(flags, SUPPRESS_ALIASES); + } else if (strcasecmp(cp, "privileges") == 0 || strcasecmp(cp, "privs") == 0) { + SET(flags, SUPPRESS_PRIVS); + } else { + sudo_warnx(U_("invalid suppression type: %s"), cp); + debug_return_int(-1); + } + } + + debug_return_int(flags); +} + static bool cvtsudoers_parse_filter(char *expression) { @@ -929,15 +959,17 @@ convert_sudoers_sudoers(const char *output_file, struct cvtsudoers_config *conf) sudo_lbuf_init(&lbuf, convert_sudoers_output, 4, "\\", 80); /* Print Defaults */ - if (!print_defaults_sudoers(&lbuf, conf->expand_aliases)) - goto done; - if (lbuf.len > 0) { - sudo_lbuf_print(&lbuf); - sudo_lbuf_append(&lbuf, "\n"); + if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) { + if (!print_defaults_sudoers(&lbuf, conf->expand_aliases)) + goto done; + if (lbuf.len > 0) { + sudo_lbuf_print(&lbuf); + sudo_lbuf_append(&lbuf, "\n"); + } } /* Print Aliases */ - if (!conf->expand_aliases) { + if (!conf->expand_aliases && !ISSET(conf->suppress, SUPPRESS_ALIASES)) { if (!print_aliases_sudoers(&lbuf)) goto done; if (lbuf.len > 1) { @@ -947,10 +979,14 @@ convert_sudoers_sudoers(const char *output_file, struct cvtsudoers_config *conf) } /* Print User_Specs, separated by blank lines. */ - if (!sudoers_format_userspecs(&lbuf, &userspecs, "\n", conf->expand_aliases, true)) - goto done; - if (lbuf.len > 1) { - sudo_lbuf_print(&lbuf); + if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) { + if (!sudoers_format_userspecs(&lbuf, &userspecs, "\n", + conf->expand_aliases, true)) { + goto done; + } + if (lbuf.len > 1) { + sudo_lbuf_print(&lbuf); + } } done: @@ -977,8 +1013,8 @@ usage(int fatal) { (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehV] [-b dn] " "[-c conf_file ] [-f output_format] [-i input_format] [-I increment] " - "[-m filter] [-o output_file] [-O start_point] [input_file]\n", - getprogname()); + "[-m filter] [-o output_file] [-O start_point] [-s sections] " + "[input_file]\n", getprogname()); if (fatal) exit(1); } @@ -998,6 +1034,7 @@ help(void) " -m, --match=filter only convert entries that match the filter expression\n" " -o, --output=output_file write converted sudoers to output_file\n" " -O, --order-start=num starting point for first sudoOrder\n" + " -s, --suppress=sections suppress output of certain sections\n" " -V, --version display version information and exit")); exit(0); } diff --git a/plugins/sudoers/cvtsudoers.h b/plugins/sudoers/cvtsudoers.h index acc356576..c3ff522ee 100644 --- a/plugins/sudoers/cvtsudoers.h +++ b/plugins/sudoers/cvtsudoers.h @@ -37,6 +37,11 @@ struct cvtsudoers_str_list { unsigned int refcnt; }; +/* Flags for cvtsudoers_config.suppress */ +#define SUPPRESS_DEFAULTS 0x01 +#define SUPPRESS_ALIASES 0x02 +#define SUPPRESS_PRIVS 0x04 + /* cvtsudoers.conf settings */ struct cvtsudoers_config { char *sudoers_base; @@ -45,12 +50,13 @@ struct cvtsudoers_config { char *filter; unsigned int sudo_order; unsigned int order_increment; + int suppress; bool expand_aliases; bool store_options; }; /* Initial config settings for above. */ -#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, false, true } +#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, 0, false, true } #define CONF_BOOL 0 #define CONF_UINT 1 diff --git a/plugins/sudoers/cvtsudoers_json.c b/plugins/sudoers/cvtsudoers_json.c index dbee32657..c648f903f 100644 --- a/plugins/sudoers/cvtsudoers_json.c +++ b/plugins/sudoers/cvtsudoers_json.c @@ -1118,14 +1118,20 @@ convert_sudoers_json(const char *output_file, struct cvtsudoers_config *conf) putc('{', output_fp); /* Dump Defaults in JSON format. */ - need_comma = print_defaults_json(output_fp, indent, conf->expand_aliases, need_comma); + if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) { + need_comma = print_defaults_json(output_fp, indent, + conf->expand_aliases, need_comma); + } /* Dump Aliases in JSON format. */ - if (!conf->expand_aliases) + if (!conf->expand_aliases && !ISSET(conf->suppress, SUPPRESS_ALIASES)) need_comma = print_aliases_json(output_fp, indent, need_comma); /* Dump User_Specs in JSON format. */ - print_userspecs_json(output_fp, indent, conf->expand_aliases, need_comma); + if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) { + print_userspecs_json(output_fp, indent, conf->expand_aliases, + need_comma); + } /* Close JSON output. */ fputs("\n}\n", output_fp); diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c index 6bc8685c3..341c674ae 100644 --- a/plugins/sudoers/cvtsudoers_ldif.c +++ b/plugins/sudoers/cvtsudoers_ldif.c @@ -496,10 +496,12 @@ convert_sudoers_ldif(const char *output_file, struct cvtsudoers_config *conf) seen_users = rbcreate(seen_user_compare); /* Dump global Defaults in LDIF format. */ - print_global_defaults_ldif(output_fp, conf->sudoers_base); + if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) + print_global_defaults_ldif(output_fp, conf->sudoers_base); /* Dump User_Specs in LDIF format, expanding Aliases. */ - print_userspecs_ldif(output_fp, conf); + if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) + print_userspecs_ldif(output_fp, conf); /* Clean up. */ rbdestroy(seen_users, seen_user_free); -- 2.40.0