mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Add padding option to cvtsudoers.

Browse Source 
Bug #856
This commit is contained in:
Todd C. Miller 2018-10-25 08:40:25 -06:00
parent 78d35de935
commit 1b035b5426
12 changed files with 284 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
MANIFEST
View File

@ -454,6 +454,11 @@ plugins/sudoers/regress/cvtsudoers/test3.out.ok
plugins/sudoers/regress/cvtsudoers/test3.sh plugins/sudoers/regress/cvtsudoers/test3.sh
plugins/sudoers/regress/cvtsudoers/test30.out.ok plugins/sudoers/regress/cvtsudoers/test30.out.ok
plugins/sudoers/regress/cvtsudoers/test30.sh plugins/sudoers/regress/cvtsudoers/test30.sh
plugins/sudoers/regress/cvtsudoers/test31.conf
plugins/sudoers/regress/cvtsudoers/test31.out.ok
plugins/sudoers/regress/cvtsudoers/test31.sh
plugins/sudoers/regress/cvtsudoers/test32.out.ok
plugins/sudoers/regress/cvtsudoers/test32.sh
plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.out.ok
plugins/sudoers/regress/cvtsudoers/test4.sh plugins/sudoers/regress/cvtsudoers/test4.sh
plugins/sudoers/regress/cvtsudoers/test5.out.ok plugins/sudoers/regress/cvtsudoers/test5.out.ok

13
doc/cvtsudoers.cat
View File

@ -160,6 +160,17 @@ DDEESSCCRRIIPPTTIIOONN
out non-matching users, groups and hosts from matching out non-matching users, groups and hosts from matching
entries. entries.
--PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g
When generating LDIF output, construct the initial sudoOrder
value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the
_i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits.
For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and
_i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry
will be 1027000, followed by 1027001, 1027002, etc. If the
number of sudoRole entries is larger than the padding would
allow, ccvvttssuuddooeerrss will exit with an error. By default, no
padding is performed.
--ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s
Suppress the output of specific _s_e_c_t_i_o_n_s of the security Suppress the output of specific _s_e_c_t_i_o_n_s of the security
policy. One or more section names may be specified, policy. One or more section names may be specified,
@ -265,4 +276,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.25 April 14, 2018 Sudo 1.8.25 Sudo 1.8.26 October 24, 2018 Sudo 1.8.26

26
doc/cvtsudoers.man.in
View File

@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "CVTSUDOERS" "1" "April 14, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual" .TH "CVTSUDOERS" "1" "October 24, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -299,6 +299,30 @@ option is also specified,
will prune out non-matching users, groups and hosts from will prune out non-matching users, groups and hosts from
matching entries. matching entries.
.TP 12n .TP 12n
\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
When generating LDIF output, construct the initial sudoOrder value by
concatenating
\fIorder_start\fR
and
\fIincrement\fR,
padding the
\fIincrement\fR
with zeros until it consists of
\fIpadding\fR
digits.
For example, if
\fIorder_start\fR
is 1027,
\fIpadding\fR
is 3, and
\fIincrement\fR
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
\fBcvtsudoers\fR
will exit with an error.
By default, no padding is performed.
.TP 12n
\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR \fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
Suppress the output of specific Suppress the output of specific
\fIsections\fR \fIsections\fR

25
doc/cvtsudoers.mdoc.in
View File

@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd April 14, 2018 .Dd October 24, 2018
.Dt CVTSUDOERS 1 .Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -250,6 +250,29 @@ option is also specified,
.Nm .Nm
will prune out non-matching users, groups and hosts from will prune out non-matching users, groups and hosts from
matching entries. matching entries.
.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
When generating LDIF output, construct the initial sudoOrder value by
concatenating
.Ar order_start
and
.Ar increment ,
padding the
.Ar increment
with zeros until it consists of
.Ar padding
digits.
For example, if
.Ar order_start
is 1027,
.Ar padding
is 3, and
.Ar increment
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
.Nm
will exit with an error.
By default, no padding is performed.
.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections .It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
Suppress the output of specific Suppress the output of specific
.Ar sections .Ar sections

26
plugins/sudoers/cvtsudoers.c
View File

@ -58,7 +58,7 @@
struct cvtsudoers_filter *filters; struct cvtsudoers_filter *filters;
struct sudo_user sudo_user; struct sudo_user sudo_user;
struct passwd *list_pw; struct passwd *list_pw;
static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:ps:V"; static const char short_opts[] = "b:c:d:ef:hi:I:m:Mo:O:pP:s:V";
static struct option long_opts[] = { static struct option long_opts[] = {
{ "base", required_argument, NULL, 'b' }, { "base", required_argument, NULL, 'b' },
{ "config", required_argument, NULL, 'c' }, { "config", required_argument, NULL, 'c' },
@ -71,6 +71,7 @@ static struct option long_opts[] = {
{ "match", required_argument, NULL, 'm' }, { "match", required_argument, NULL, 'm' },
{ "match-local", no_argument, NULL, 'M' }, { "match-local", no_argument, NULL, 'M' },
{ "prune-matches", no_argument, NULL, 'p' }, { "prune-matches", no_argument, NULL, 'p' },
{ "padding", required_argument, NULL, 'P' },
{ "order-start", required_argument, NULL, 'O' }, { "order-start", required_argument, NULL, 'O' },
{ "output", required_argument, NULL, 'o' }, { "output", required_argument, NULL, 'o' },
{ "suppress", required_argument, NULL, 's' }, { "suppress", required_argument, NULL, 's' },
@ -215,6 +216,13 @@ main(int argc, char *argv[])
case 'p': case 'p':
conf->prune_matches = true; conf->prune_matches = true;
break; break;
case 'P':
conf->order_padding = sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
if (errstr != NULL ) {
sudo_warnx(U_("order padding: %s: %s"), optarg, U_(errstr));
usage(1);
}
break;
case 's': case 's':
conf->supstr = optarg; conf->supstr = optarg;
break; break;
@ -273,6 +281,18 @@ main(int argc, char *argv[])
usage(1); usage(1);
} }
/* Apply padding to sudo_order if present. */
if (conf->sudo_order != 0 && conf->order_padding != 0) {
unsigned int multiplier = 1;
do {
multiplier *= 10;
} while (--conf->order_padding != 0);
conf->sudo_order *= multiplier;
conf->order_max = conf->sudo_order + (multiplier - 1);
conf->order_padding = multiplier;
}
/* If no base DN specified, check SUDOERS_BASE. */ /* If no base DN specified, check SUDOERS_BASE. */
if (conf->sudoers_base == NULL) { if (conf->sudoers_base == NULL) {
conf->sudoers_base = getenv("SUDOERS_BASE"); conf->sudoers_base = getenv("SUDOERS_BASE");
@ -360,6 +380,7 @@ static struct cvtsudoers_config cvtsudoers_config = INITIAL_CONFIG;
static struct cvtsudoers_conf_table cvtsudoers_conf_vars[] = { static struct cvtsudoers_conf_table cvtsudoers_conf_vars[] = {
{ "order_start", CONF_UINT, &cvtsudoers_config.sudo_order }, { "order_start", CONF_UINT, &cvtsudoers_config.sudo_order },
{ "order_increment", CONF_UINT, &cvtsudoers_config.order_increment }, { "order_increment", CONF_UINT, &cvtsudoers_config.order_increment },
{ "order_padding", CONF_UINT, &cvtsudoers_config.order_padding },
{ "sudoers_base", CONF_STR, &cvtsudoers_config.sudoers_base }, { "sudoers_base", CONF_STR, &cvtsudoers_config.sudoers_base },
{ "input_format", CONF_STR, &cvtsudoers_config.input_format }, { "input_format", CONF_STR, &cvtsudoers_config.input_format },
{ "output_format", CONF_STR, &cvtsudoers_config.output_format }, { "output_format", CONF_STR, &cvtsudoers_config.output_format },
@ -1280,7 +1301,7 @@ usage(int fatal)
(void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMpV] [-b dn] " (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMpV] [-b dn] "
"[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] " "[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] "
"[-I increment] [-m filter] [-o output_file] [-O start_point] " "[-I increment] [-m filter] [-o output_file] [-O start_point] "
"[-s sections] [input_file]\n", getprogname()); "[-P padding] [-s sections] [input_file]\n", getprogname());
if (fatal) if (fatal)
exit(1); exit(1);
} }
@ -1303,6 +1324,7 @@ help(void)
" -o, --output=output_file write converted sudoers to output_file\n" " -o, --output=output_file write converted sudoers to output_file\n"
" -O, --order-start=num starting point for first sudoOrder\n" " -O, --order-start=num starting point for first sudoOrder\n"
" -p, --prune-matches prune non-matching users, groups and hosts\n" " -p, --prune-matches prune non-matching users, groups and hosts\n"
" -P, --padding=num base padding for sudoOrder increment\n"
" -s, --suppress=sections suppress output of certain sections\n" " -s, --suppress=sections suppress output of certain sections\n"
" -V, --version display version information and exit")); " -V, --version display version information and exit"));
exit(0); exit(0);

4
plugins/sudoers/cvtsudoers.h
View File

@ -43,6 +43,8 @@ enum sudoers_formats {
struct cvtsudoers_config { struct cvtsudoers_config {
unsigned int sudo_order; unsigned int sudo_order;
unsigned int order_increment; unsigned int order_increment;
unsigned int order_padding;
unsigned int order_max;
short defaults; short defaults;
short suppress; short suppress;
bool expand_aliases; bool expand_aliases;
@ -57,7 +59,7 @@ struct cvtsudoers_config {
}; };
/* Initial config settings for above. */ /* Initial config settings for above. */
#define INITIAL_CONFIG { 1, 1, CVT_DEFAULTS_ALL, 0, false, true, false } #define INITIAL_CONFIG { 1, 1, 0, 0, CVT_DEFAULTS_ALL, 0, false, true, false }
#define CONF_BOOL 0 #define CONF_BOOL 0
#define CONF_UINT 1 #define CONF_UINT 1

4
plugins/sudoers/cvtsudoers_ldif.c
View File

@ -587,6 +587,10 @@ print_userspec_ldif(FILE *fp, struct sudoers_parse_tree *parse_tree,
if (conf->sudo_order != 0) { if (conf->sudo_order != 0) {
char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2]; char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2];
if (conf->order_max != 0 && conf->sudo_order > conf->order_max) {
sudo_fatalx(U_("too many sudoers entries, maximum %u"),
conf->order_padding);
}
(void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order); (void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order);
print_attribute_ldif(fp, "sudoOrder", numbuf); print_attribute_ldif(fp, "sudoOrder", numbuf);
putc('\n', fp); putc('\n', fp);

9
plugins/sudoers/regress/cvtsudoers/test31.conf Normal file
View File

@ -0,0 +1,9 @@
defaults = all
expand_aliases = no
input_format = sudoers
order_increment = 5
order_padding = 2
order_start = 1000
output_format = ldif
sudoers_base = ou=SUDOers,dc=my-domain,dc=com
suppress = defaults

24
plugins/sudoers/regress/cvtsudoers/test31.out.ok Normal file
View File

@ -0,0 +1,24 @@
dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: ALL
sudoUser: ALL
sudoHost: ALL
sudoRunAsUser:
sudoOption: !authenticate
sudoCommand: /usr/bin/id
sudoOrder: 100000
dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: FULLTIMERS
sudoUser: user1
sudoUser: user2
sudoUser: user3
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 100005

13
plugins/sudoers/regress/cvtsudoers/test31.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/sh
#
# Test cvtsudoers.conf with padding
#
exec 2>&1
./cvtsudoers -c $TESTDIR/test31.conf <<EOF
Defaults authenticate, timestamp_timeout=0
User_Alias FULLTIMERS = user1, user2, user3
ALL ALL = (:) NOPASSWD:/usr/bin/id
FULLTIMERS ALL = (ALL:ALL) ALL
EOF

120
plugins/sudoers/regress/cvtsudoers/test32.out.ok Normal file
View File

@ -0,0 +1,120 @@
cvtsudoers: too many sudoers entries, maximum 10
dn: cn=user0,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user0
sudoUser: user0
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10000
dn: cn=user1,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user1
sudoUser: user1
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10001
dn: cn=user2,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user2
sudoUser: user2
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10002
dn: cn=user3,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user3
sudoUser: user3
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10003
dn: cn=user4,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user4
sudoUser: user4
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10004
dn: cn=user5,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user5
sudoUser: user5
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10005
dn: cn=user6,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user6
sudoUser: user6
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10006
dn: cn=user7,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user7
sudoUser: user7
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10007
dn: cn=user8,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user8
sudoUser: user8
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10008
dn: cn=user9,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user9
sudoUser: user9
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 10009
dn: cn=user10,ou=SUDOers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: user10
sudoUser: user10
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL

21
plugins/sudoers/regress/cvtsudoers/test32.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# Test cvtsudoers.conf with invalid padding
#
exec 2>&1
./cvtsudoers -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <<EOF
user0 ALL = (ALL:ALL) ALL
user1 ALL = (ALL:ALL) ALL
user2 ALL = (ALL:ALL) ALL
user3 ALL = (ALL:ALL) ALL
user4 ALL = (ALL:ALL) ALL
user5 ALL = (ALL:ALL) ALL
user6 ALL = (ALL:ALL) ALL
user7 ALL = (ALL:ALL) ALL
user8 ALL = (ALL:ALL) ALL
user9 ALL = (ALL:ALL) ALL
user10 ALL = (ALL:ALL) ALL
EOF
exit 0