diff --git a/MANIFEST b/MANIFEST index 6a3afa400..8c15d0b0d 100644 --- a/MANIFEST +++ b/MANIFEST @@ -454,6 +454,11 @@ plugins/sudoers/regress/cvtsudoers/test3.out.ok plugins/sudoers/regress/cvtsudoers/test3.sh plugins/sudoers/regress/cvtsudoers/test30.out.ok plugins/sudoers/regress/cvtsudoers/test30.sh +plugins/sudoers/regress/cvtsudoers/test31.conf +plugins/sudoers/regress/cvtsudoers/test31.out.ok +plugins/sudoers/regress/cvtsudoers/test31.sh +plugins/sudoers/regress/cvtsudoers/test32.out.ok +plugins/sudoers/regress/cvtsudoers/test32.sh plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.sh plugins/sudoers/regress/cvtsudoers/test5.out.ok diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat index d01a7e654..61bf3a28d 100644 --- a/doc/cvtsudoers.cat +++ b/doc/cvtsudoers.cat @@ -160,6 +160,17 @@ DDEESSCCRRIIPPTTIIOONN out non-matching users, groups and hosts from matching entries. + --PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g + When generating LDIF output, construct the initial sudoOrder + value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the + _i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits. + For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and + _i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry + will be 1027000, followed by 1027001, 1027002, etc. If the + number of sudoRole entries is larger than the padding would + allow, ccvvttssuuddooeerrss will exit with an error. By default, no + padding is performed. + --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s Suppress the output of specific _s_e_c_t_i_o_n_s of the security policy. One or more section names may be specified, @@ -265,4 +276,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.25 April 14, 2018 Sudo 1.8.25 +Sudo 1.8.26 October 24, 2018 Sudo 1.8.26 diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in index 74be920fd..e920ea93e 100644 --- a/doc/cvtsudoers.man.in +++ b/doc/cvtsudoers.man.in @@ -15,7 +15,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "CVTSUDOERS" "1" "April 14, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual" +.TH "CVTSUDOERS" "1" "October 24, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual" .nh .if n .ad l .SH "NAME" @@ -299,6 +299,30 @@ option is also specified, will prune out non-matching users, groups and hosts from matching entries. .TP 12n +\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR +When generating LDIF output, construct the initial sudoOrder value by +concatenating +\fIorder_start\fR +and +\fIincrement\fR, +padding the +\fIincrement\fR +with zeros until it consists of +\fIpadding\fR +digits. +For example, if +\fIorder_start\fR +is 1027, +\fIpadding\fR +is 3, and +\fIincrement\fR +is 1, the value of sudoOrder for the first entry will be 1027000, +followed by 1027001, 1027002, etc. +If the number of sudoRole entries is larger than the padding would allow, +\fBcvtsudoers\fR +will exit with an error. +By default, no padding is performed. +.TP 12n \fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR Suppress the output of specific \fIsections\fR diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in index 045c96089..de59e9d78 100644 --- a/doc/cvtsudoers.mdoc.in +++ b/doc/cvtsudoers.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 14, 2018 +.Dd October 24, 2018 .Dt CVTSUDOERS 1 .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -250,6 +250,29 @@ option is also specified, .Nm will prune out non-matching users, groups and hosts from matching entries. +.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding +When generating LDIF output, construct the initial sudoOrder value by +concatenating +.Ar order_start +and +.Ar increment , +padding the +.Ar increment +with zeros until it consists of +.Ar padding +digits. +For example, if +.Ar order_start +is 1027, +.Ar padding +is 3, and +.Ar increment +is 1, the value of sudoOrder for the first entry will be 1027000, +followed by 1027001, 1027002, etc. +If the number of sudoRole entries is larger than the padding would allow, +.Nm +will exit with an error. +By default, no padding is performed. .It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections Suppress the output of specific .Ar sections diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c index 5037312b6..c856e9609 100644 --- a/plugins/sudoers/cvtsudoers.c +++ b/plugins/sudoers/cvtsudoers.c @@ -58,7 +58,7 @@ struct cvtsudoers_filter *filters; struct sudo_user sudo_user; struct passwd *list_pw; -static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:ps:V"; +static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:pP:s:V"; static struct option long_opts[] = { { "base", required_argument, NULL, 'b' }, { "config", required_argument, NULL, 'c' }, @@ -71,6 +71,7 @@ static struct option long_opts[] = { { "match", required_argument, NULL, 'm' }, { "match-local", no_argument, NULL, 'M' }, { "prune-matches", no_argument, NULL, 'p' }, + { "padding", required_argument, NULL, 'P' }, { "order-start", required_argument, NULL, 'O' }, { "output", required_argument, NULL, 'o' }, { "suppress", required_argument, NULL, 's' }, @@ -215,6 +216,13 @@ main(int argc, char *argv[]) case 'p': conf->prune_matches = true; break; + case 'P': + conf->order_padding = sudo_strtonum(optarg, 1, UINT_MAX, &errstr); + if (errstr != NULL ) { + sudo_warnx(U_("order padding: %s: %s"), optarg, U_(errstr)); + usage(1); + } + break; case 's': conf->supstr = optarg; break; @@ -273,6 +281,18 @@ main(int argc, char *argv[]) usage(1); } + /* Apply padding to sudo_order if present. */ + if (conf->sudo_order != 0 && conf->order_padding != 0) { + unsigned int multiplier = 1; + + do { + multiplier *= 10; + } while (--conf->order_padding != 0); + conf->sudo_order *= multiplier; + conf->order_max = conf->sudo_order + (multiplier - 1); + conf->order_padding = multiplier; + } + /* If no base DN specified, check SUDOERS_BASE. */ if (conf->sudoers_base == NULL) { conf->sudoers_base = getenv("SUDOERS_BASE"); @@ -360,6 +380,7 @@ static struct cvtsudoers_config cvtsudoers_config = INITIAL_CONFIG; static struct cvtsudoers_conf_table cvtsudoers_conf_vars[] = { { "order_start", CONF_UINT, &cvtsudoers_config.sudo_order }, { "order_increment", CONF_UINT, &cvtsudoers_config.order_increment }, + { "order_padding", CONF_UINT, &cvtsudoers_config.order_padding }, { "sudoers_base", CONF_STR, &cvtsudoers_config.sudoers_base }, { "input_format", CONF_STR, &cvtsudoers_config.input_format }, { "output_format", CONF_STR, &cvtsudoers_config.output_format }, @@ -1280,7 +1301,7 @@ usage(int fatal) (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMpV] [-b dn] " "[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] " "[-I increment] [-m filter] [-o output_file] [-O start_point] " - "[-s sections] [input_file]\n", getprogname()); + "[-P padding] [-s sections] [input_file]\n", getprogname()); if (fatal) exit(1); } @@ -1303,6 +1324,7 @@ help(void) " -o, --output=output_file write converted sudoers to output_file\n" " -O, --order-start=num starting point for first sudoOrder\n" " -p, --prune-matches prune non-matching users, groups and hosts\n" + " -P, --padding=num base padding for sudoOrder increment\n" " -s, --suppress=sections suppress output of certain sections\n" " -V, --version display version information and exit")); exit(0); diff --git a/plugins/sudoers/cvtsudoers.h b/plugins/sudoers/cvtsudoers.h index 562da5c96..b93474b91 100644 --- a/plugins/sudoers/cvtsudoers.h +++ b/plugins/sudoers/cvtsudoers.h @@ -43,6 +43,8 @@ enum sudoers_formats { struct cvtsudoers_config { unsigned int sudo_order; unsigned int order_increment; + unsigned int order_padding; + unsigned int order_max; short defaults; short suppress; bool expand_aliases; @@ -57,7 +59,7 @@ struct cvtsudoers_config { }; /* Initial config settings for above. */ -#define INITIAL_CONFIG { 1, 1, CVT_DEFAULTS_ALL, 0, false, true, false } +#define INITIAL_CONFIG { 1, 1, 0, 0, CVT_DEFAULTS_ALL, 0, false, true, false } #define CONF_BOOL 0 #define CONF_UINT 1 diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c index 53d1c29e6..4f573be16 100644 --- a/plugins/sudoers/cvtsudoers_ldif.c +++ b/plugins/sudoers/cvtsudoers_ldif.c @@ -587,6 +587,10 @@ print_userspec_ldif(FILE *fp, struct sudoers_parse_tree *parse_tree, if (conf->sudo_order != 0) { char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2]; + if (conf->order_max != 0 && conf->sudo_order > conf->order_max) { + sudo_fatalx(U_("too many sudoers entries, maximum %u"), + conf->order_padding); + } (void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order); print_attribute_ldif(fp, "sudoOrder", numbuf); putc('\n', fp); diff --git a/plugins/sudoers/regress/cvtsudoers/test31.conf b/plugins/sudoers/regress/cvtsudoers/test31.conf new file mode 100644 index 000000000..345dbfcf6 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.conf @@ -0,0 +1,9 @@ +defaults = all +expand_aliases = no +input_format = sudoers +order_increment = 5 +order_padding = 2 +order_start = 1000 +output_format = ldif +sudoers_base = ou=SUDOers,dc=my-domain,dc=com +suppress = defaults diff --git a/plugins/sudoers/regress/cvtsudoers/test31.out.ok b/plugins/sudoers/regress/cvtsudoers/test31.out.ok new file mode 100644 index 000000000..41ffd1bc3 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.out.ok @@ -0,0 +1,24 @@ +dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ALL +sudoUser: ALL +sudoHost: ALL +sudoRunAsUser: +sudoOption: !authenticate +sudoCommand: /usr/bin/id +sudoOrder: 100000 + +dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: FULLTIMERS +sudoUser: user1 +sudoUser: user2 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 100005 + diff --git a/plugins/sudoers/regress/cvtsudoers/test31.sh b/plugins/sudoers/regress/cvtsudoers/test31.sh new file mode 100644 index 000000000..ad6537c14 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# +# Test cvtsudoers.conf with padding +# + +exec 2>&1 +./cvtsudoers -c $TESTDIR/test31.conf <&1 +./cvtsudoers -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <