From 99978e4a7037732a2094d367afb3dbef1668284c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 22 Feb 2016 11:07:33 -0700 Subject: [PATCH] Fix documented bug with duplicate role names and turn on perl warnings. Based on a diff from Aaron Peschel --- doc/CONTRIBUTORS | 1 + plugins/sudoers/sudoers2ldif | 37 ++++++++++++++++++++---------------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/doc/CONTRIBUTORS b/doc/CONTRIBUTORS index b5f08004a..f132e9572 100644 --- a/doc/CONTRIBUTORS +++ b/doc/CONTRIBUTORS @@ -112,6 +112,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws. Percival, Ted Perera, Andres Peron, Christian S.J. + Peschel, Aaron Peslyak, Alexander Peterson, Toby Pettenò, Diego Elio diff --git a/plugins/sudoers/sudoers2ldif b/plugins/sudoers/sudoers2ldif index 3c165bc7c..7bceef1a9 100755 --- a/plugins/sudoers/sudoers2ldif +++ b/plugins/sudoers/sudoers2ldif @@ -15,6 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # +use warnings; use strict; # @@ -27,11 +28,10 @@ use strict; # Does not yet remove quotation marks from options # Does not yet escape + at the beginning of a dn # Does not yet handle line wraps correctly -# Does not yet handle multiple roles with same name (needs tiebreaker) # # CAVEATS: # Sudoers entries can have multiple RunAs entries that override former ones, -# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole +# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole my %RA; my %UA; @@ -42,6 +42,7 @@ my @options=(); my $did_defaults=0; my $order = 0; +my %seen_users; # parse sudoers one line at a time while (<>){ @@ -91,26 +92,33 @@ while (<>){ } # Definition my @users=split /\s*,\s*/,$p1; + my $username = $users[0]; + if ($seen_users{$username}) { + $seen_users{$username} += 1; + $username = sprintf("%s_%s", $username, $seen_users{$username}); + } else { + $seen_users{$username} = 1; + } my @hosts=split /\s*,\s*/,$p2; my @cmds= split /\s*,\s*/,$p3; @options=(); - print "dn: cn=$users[0],$base\n"; + print "dn: cn=$username,$base\n"; print "objectClass: top\n"; print "objectClass: sudoRole\n"; - print "cn: $users[0]\n"; + print "cn: $username\n"; # will clobber options print "sudoUser: $_\n" foreach expand(\%UA,@users); print "sudoHost: $_\n" foreach expand(\%HA,@hosts); foreach (@cmds) { - if (s/^\(([^\)]+)\)\s*//) { - my @runas = split(/:\s*/, $1); - if (defined($runas[0])) { - print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0])); - } - if (defined($runas[1])) { - print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1])); - } - } + if (s/^\(([^\)]+)\)\s*//) { + my @runas = split(/:\s*/, $1); + if (defined($runas[0])) { + print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0])); + } + if (defined($runas[1])) { + print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1])); + } + } } print "sudoCommand: $_\n" foreach expand(\%CA,@cmds); print "sudoOption: $_\n" foreach @options; @@ -120,7 +128,6 @@ while (<>){ } else { print "parse error: $_\n"; } - } # @@ -150,5 +157,3 @@ sub expand{ push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_; @a; } - - -- 2.40.0