testsudoers: add -L, -l and -v tests

MANIFEST

@@ -1100,8 +1100,14 @@ plugins/sudoers/regress/testsudoers/test27.out.ok
 plugins/sudoers/regress/testsudoers/test27.sh
 plugins/sudoers/regress/testsudoers/test28.out.ok
 plugins/sudoers/regress/testsudoers/test28.sh
+plugins/sudoers/regress/testsudoers/test29.out.ok
+plugins/sudoers/regress/testsudoers/test29.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
+plugins/sudoers/regress/testsudoers/test30.out.ok
+plugins/sudoers/regress/testsudoers/test30.sh
+plugins/sudoers/regress/testsudoers/test31.out.ok
+plugins/sudoers/regress/testsudoers/test31.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
 plugins/sudoers/regress/testsudoers/test4.sh
 plugins/sudoers/regress/testsudoers/test5.out.ok

plugins/sudoers/regress/testsudoers/test29.out.ok

@@ -0,0 +1,133 @@
+listpw = all, 'sudo -l' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+listpw = all, 'sudo -l' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+listpw = all, 'sudo -l' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+listpw = always, 'sudo -l' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+listpw = any, 'sudo -l' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+listpw = any, 'sudo -l' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+listpw = any, 'sudo -l' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+listpw = never, 'sudo -l' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = PASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed

plugins/sudoers/regress/testsudoers/test29.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# Exercise listpw Defaults settings.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+status=0
+
+echo "listpw = all, 'sudo -l' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = all
+admin ALL = NOPASSWD: ALL
+admin ALL = /usr/bin/id
+EOF
+
+echo ""
+echo "listpw = all, 'sudo -l' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = all
+admin ALL = /usr/bin/id
+admin ALL = NOPASSWD: ALL
+EOF
+
+echo ""
+echo "listpw = all, 'sudo -l' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = all
+admin ALL = NOPASSWD: ALL
+admin ALL = NOPASSWD: /usr/bin/id
+EOF
+
+echo ""
+echo "listpw = always, 'sudo -l' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = always
+admin ALL = NOPASSWD: ALL
+EOF
+
+echo ""
+echo "listpw = any, 'sudo -l' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = any
+admin ALL = ALL
+admin ALL = /usr/bin/id
+EOF
+
+echo ""
+echo "listpw = any, 'sudo -l' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = any
+admin ALL = ALL
+admin ALL = NOPASSWD: /usr/bin/id
+EOF
+
+echo ""
+echo "listpw = any, 'sudo -l' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = any
+admin ALL = NOPASSWD: /usr/bin/id
+admin ALL = ALL
+EOF
+
+echo ""
+echo "listpw = never, 'sudo -l' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF'
+Defaults listpw = never
+admin ALL = PASSWD: /usr/bin/id
+EOF

plugins/sudoers/regress/testsudoers/test30.out.ok

@@ -0,0 +1,133 @@
+verifypw = all, 'sudo -v' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+verifypw = all, 'sudo -v' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+verifypw = all, 'sudo -v' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+verifypw = always, 'sudo -v' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+verifypw = any, 'sudo -v' should require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+verifypw = any, 'sudo -v' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+verifypw = any, 'sudo -v' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+verifypw = never, 'sudo -v' should not require a password
+Parses OK
+
+Entries for user admin:
+
+ALL = PASSWD: /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed

plugins/sudoers/regress/testsudoers/test30.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# Exercise verifypw Defaults settings.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+status=0
+
+echo "verifypw = all, 'sudo -v' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = all
+admin ALL = NOPASSWD: ALL
+admin ALL = /usr/bin/id
+EOF
+
+echo ""
+echo "verifypw = all, 'sudo -v' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = all
+admin ALL = /usr/bin/id
+admin ALL = NOPASSWD: ALL
+EOF
+
+echo ""
+echo "verifypw = all, 'sudo -v' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = all
+admin ALL = NOPASSWD: ALL
+admin ALL = NOPASSWD: /usr/bin/id
+EOF
+
+echo ""
+echo "verifypw = always, 'sudo -v' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = always
+admin ALL = NOPASSWD: ALL
+EOF
+
+echo ""
+echo "verifypw = any, 'sudo -v' should require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = any
+admin ALL = ALL
+admin ALL = /usr/bin/id
+EOF
+
+echo ""
+echo "verifypw = any, 'sudo -v' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = any
+admin ALL = ALL
+admin ALL = NOPASSWD: /usr/bin/id
+EOF
+
+echo ""
+echo "verifypw = any, 'sudo -v' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = any
+admin ALL = NOPASSWD: /usr/bin/id
+admin ALL = ALL
+EOF
+
+echo ""
+echo "verifypw = never, 'sudo -v' should not require a password"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF'
+Defaults verifypw = never
+admin ALL = PASSWD: /usr/bin/id
+EOF

plugins/sudoers/regress/testsudoers/test31.out.ok

@@ -0,0 +1,131 @@
+'sudo -U root -l' with no matching rules
+Parses OK
+
+Entries for user admin:
+
+Password required
+
+Command denied
+
+'sudo -U root -l' with a matching ALL=ALL rule
+Parses OK
+
+Entries for user admin:
+
+ALL = ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+'sudo -U root -l' with a matching list rule
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: list
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Command allowed
+
+'sudo -U root -l' without a matching list rule
+Parses OK
+
+Entries for user admin:
+
+ALL = (operator) list
+	host  allowed
+	runas unmatched
+
+Password required
+
+Command denied
+
+'sudo -U root -l' with a negated list rule
+Parses OK
+
+Entries for user admin:
+
+ALL = !list
+	host  allowed
+	runas allowed
+	cmnd  denied
+
+Password required
+
+Command denied
+
+'sudo -U root -l' with a list rule that is later negated
+Parses OK
+
+Entries for user admin:
+
+ALL = NOPASSWD: list, !list
+	host  allowed
+	runas allowed
+	cmnd  allowed
+	runas allowed
+	cmnd  denied
+
+Command denied
+
+'sudo -l command' with a matching command
+Parses OK
+
+Entries for user admin:
+
+ALL = /bin/ls
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+'sudo -l command' without a matching command
+Parses OK
+
+Entries for user admin:
+
+ALL = /bin/ls
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed
+
+'sudo -U root -l command' without list privileges
+Parses OK
+
+Entries for user admin:
+
+ALL = /usr/bin/id
+	host  allowed
+	runas allowed
+	cmnd  unmatched
+
+Password required
+
+Command denied
+
+'sudo -U root -l command' with list privileges
+Parses OK
+
+Entries for user admin:
+
+ALL = list
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+Password required
+
+Command allowed

plugins/sudoers/regress/testsudoers/test31.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# Exercise "sudo -U user -l [command]"
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+status=0
+
+echo "'sudo -U root -l' with no matching rules"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+root ALL = ALL
+EOF
+
+echo ""
+echo "'sudo -U root -l' with a matching ALL=ALL rule"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = ALL
+EOF
+
+echo ""
+echo "'sudo -U root -l' with a matching list rule"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = NOPASSWD: list
+EOF
+
+echo ""
+echo "'sudo -U root -l' without a matching list rule"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = (operator) list
+EOF
+
+echo ""
+echo "'sudo -U root -l' with a negated list rule"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = !list
+EOF
+
+echo ""
+echo "'sudo -U root -l' with a list rule that is later negated"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = NOPASSWD: list, !list
+EOF
+
+echo ""
+echo "'sudo -l command' with a matching command"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin /bin/ls <<'EOF'
+admin ALL = /bin/ls
+EOF
+
+echo ""
+echo "'sudo -l command' without a matching command"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin /usr/bin/id <<'EOF'
+admin ALL = /bin/ls
+EOF
+
+echo ""
+echo "'sudo -U root -l command' without list privileges"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin /bin/ls <<'EOF'
+root ALL = ALL
+admin ALL = /usr/bin/id
+EOF
+
+echo ""
+echo "'sudo -U root -l command' with list privileges"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin /bin/ls <<'EOF'
+root ALL = ALL
+admin ALL = list
+EOF