Add padding option to cvtsudoers.

Bug #856
2025-08-22 01:49:11 +00:00 · 2018-10-25 08:40:25 -06:00 · 2018-10-25 08:40:25 -06:00 · 1b035b5426
commit 1b035b5426
parent 78d35de935
12 changed files with 284 additions and 6 deletions
--- a/5
+++ b/5
@ -454,6 +454,11 @@ plugins/sudoers/regress/cvtsudoers/test3.out.ok
 plugins/sudoers/regress/cvtsudoers/test3.sh
 plugins/sudoers/regress/cvtsudoers/test30.out.ok
 plugins/sudoers/regress/cvtsudoers/test30.sh
+plugins/sudoers/regress/cvtsudoers/test31.conf
+plugins/sudoers/regress/cvtsudoers/test31.out.ok
+plugins/sudoers/regress/cvtsudoers/test31.sh
+plugins/sudoers/regress/cvtsudoers/test32.out.ok
+plugins/sudoers/regress/cvtsudoers/test32.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
 plugins/sudoers/regress/cvtsudoers/test4.sh
 plugins/sudoers/regress/cvtsudoers/test5.out.ok
--- a/doc/cvtsudoers.cat
+++ b/doc/cvtsudoers.cat
@ -160,6 +160,17 @@ DDEESSCCRRIIPPTTIIOONN
                 out non-matching users, groups and hosts from matching
                 entries.

+     --PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g
+                 When generating LDIF output, construct the initial sudoOrder
+                 value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the
+                 _i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits.
+                 For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and
+                 _i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry
+                 will be 1027000, followed by 1027001, 1027002, etc.  If the
+                 number of sudoRole entries is larger than the padding would
+                 allow, ccvvttssuuddooeerrss will exit with an error.  By default, no
+                 padding is performed.
+
     --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s
                 Suppress the output of specific _s_e_c_t_i_o_n_s of the security
                 policy.  One or more section names may be specified,
@ -265,4 +276,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or https://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.25                     April 14, 2018                     Sudo 1.8.25
+Sudo 1.8.26                    October 24, 2018                    Sudo 1.8.26
--- a/doc/cvtsudoers.man.in
+++ b/doc/cvtsudoers.man.in
@ -15,7 +15,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "CVTSUDOERS" "1" "April 14, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "October 24, 2018" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@ -299,6 +299,30 @@ option is also specified,
 will prune out non-matching users, groups and hosts from
 matching entries.
 .TP 12n
+\fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
+When generating LDIF output, construct the initial sudoOrder value by
+concatenating
+\fIorder_start\fR
+and
+\fIincrement\fR,
+padding the
+\fIincrement\fR
+with zeros until it consists of
+\fIpadding\fR
+digits.
+For example, if
+\fIorder_start\fR
+is 1027,
+\fIpadding\fR
+is 3, and
+\fIincrement\fR
+is 1, the value of sudoOrder for the first entry will be 1027000,
+followed by 1027001, 1027002, etc.
+If the number of sudoRole entries is larger than the padding would allow,
+\fBcvtsudoers\fR
+will exit with an error.
+By default, no padding is performed.
+.TP 12n
 \fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
 Suppress the output of specific
 \fIsections\fR
--- a/doc/cvtsudoers.mdoc.in
+++ b/doc/cvtsudoers.mdoc.in
@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 14, 2018
+.Dd October 24, 2018
 .Dt CVTSUDOERS 1
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@ -250,6 +250,29 @@ option is also specified,
 .Nm
 will prune out non-matching users, groups and hosts from
 matching entries.
+.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
+When generating LDIF output, construct the initial sudoOrder value by
+concatenating
+.Ar order_start
+and
+.Ar increment ,
+padding the
+.Ar increment
+with zeros until it consists of
+.Ar padding
+digits.
+For example, if
+.Ar order_start
+is 1027,
+.Ar padding
+is 3, and
+.Ar increment
+is 1, the value of sudoOrder for the first entry will be 1027000,
+followed by 1027001, 1027002, etc.
+If the number of sudoRole entries is larger than the padding would allow,
+.Nm
+will exit with an error.
+By default, no padding is performed.
 .It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
 Suppress the output of specific
 .Ar sections
--- a/plugins/sudoers/cvtsudoers.c
+++ b/plugins/sudoers/cvtsudoers.c
@ -58,7 +58,7 @@
 struct cvtsudoers_filter *filters;
 struct sudo_user sudo_user;
 struct passwd *list_pw;
-static const char short_opts[] =  "b:c:d:ef:hi:I:m:Mo:O:ps:V";
+static const char short_opts[] =  "b:c:d:ef:hi:I:m:Mo:O:pP:s:V";
 static struct option long_opts[] = {
    { "base",		required_argument,	NULL,	'b' },
    { "config",		required_argument,	NULL,	'c' },
@ -71,6 +71,7 @@ static struct option long_opts[] = {
    { "match",		required_argument,	NULL,	'm' },
    { "match-local",	no_argument,		NULL,	'M' },
    { "prune-matches",	no_argument,		NULL,	'p' },
+    { "padding",	required_argument,	NULL,	'P' },
    { "order-start",	required_argument,	NULL,	'O' },
    { "output",		required_argument,	NULL,	'o' },
    { "suppress",	required_argument,	NULL,	's' },
@ -215,6 +216,13 @@ main(int argc, char *argv[])
 	case 'p':
 	    conf->prune_matches = true;
 	    break;
+	case 'P':
+	    conf->order_padding = sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
+	    if (errstr != NULL ) {
+		sudo_warnx(U_("order padding: %s: %s"), optarg, U_(errstr));
+		usage(1);
+	    }
+	    break;
 	case 's':
 	    conf->supstr = optarg;
 	    break;
@ -273,6 +281,18 @@ main(int argc, char *argv[])
 	    usage(1);
    }

+    /* Apply padding to sudo_order if present. */
+    if (conf->sudo_order != 0 && conf->order_padding != 0) {
+	unsigned int multiplier = 1;
+
+	do {
+	    multiplier *= 10;
+	} while (--conf->order_padding != 0);
+	conf->sudo_order *= multiplier;
+	conf->order_max = conf->sudo_order + (multiplier - 1);
+	conf->order_padding = multiplier;
+    }
+
    /* If no base DN specified, check SUDOERS_BASE. */
    if (conf->sudoers_base == NULL) {
 	conf->sudoers_base = getenv("SUDOERS_BASE");
@ -360,6 +380,7 @@ static struct cvtsudoers_config cvtsudoers_config = INITIAL_CONFIG;
 static struct cvtsudoers_conf_table cvtsudoers_conf_vars[] = {
    { "order_start", CONF_UINT, &cvtsudoers_config.sudo_order },
    { "order_increment", CONF_UINT, &cvtsudoers_config.order_increment },
+    { "order_padding", CONF_UINT, &cvtsudoers_config.order_padding },
    { "sudoers_base", CONF_STR, &cvtsudoers_config.sudoers_base },
    { "input_format", CONF_STR, &cvtsudoers_config.input_format },
    { "output_format", CONF_STR, &cvtsudoers_config.output_format },
@ -1280,7 +1301,7 @@ usage(int fatal)
    (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehMpV] [-b dn] "
 	"[-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] "
 	"[-I increment] [-m filter] [-o output_file] [-O start_point] "
-	"[-s sections] [input_file]\n", getprogname());
+	"[-P padding] [-s sections] [input_file]\n", getprogname());
    if (fatal)
 	exit(1);
 }
@ -1303,6 +1324,7 @@ help(void)
 	"  -o, --output=output_file   write converted sudoers to output_file\n"
 	"  -O, --order-start=num      starting point for first sudoOrder\n"
 	"  -p, --prune-matches        prune non-matching users, groups and hosts\n"
+	"  -P, --padding=num          base padding for sudoOrder increment\n"
 	"  -s, --suppress=sections    suppress output of certain sections\n"
 	"  -V, --version              display version information and exit"));
    exit(0);
--- a/plugins/sudoers/cvtsudoers.h
+++ b/plugins/sudoers/cvtsudoers.h
@ -43,6 +43,8 @@ enum sudoers_formats {
 struct cvtsudoers_config {
    unsigned int sudo_order;
    unsigned int order_increment;
+    unsigned int order_padding;
+    unsigned int order_max;
    short defaults;
    short suppress;
    bool expand_aliases;
@ -57,7 +59,7 @@ struct cvtsudoers_config {
 };

 /* Initial config settings for above. */
-#define INITIAL_CONFIG { 1, 1, CVT_DEFAULTS_ALL, 0, false, true, false }
+#define INITIAL_CONFIG { 1, 1, 0, 0, CVT_DEFAULTS_ALL, 0, false, true, false }

 #define CONF_BOOL	0
 #define CONF_UINT	1
--- a/plugins/sudoers/cvtsudoers_ldif.c
+++ b/plugins/sudoers/cvtsudoers_ldif.c
@ -587,6 +587,10 @@ print_userspec_ldif(FILE *fp, struct sudoers_parse_tree *parse_tree,

 	    if (conf->sudo_order != 0) {
 		char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2];
+		if (conf->order_max != 0 && conf->sudo_order > conf->order_max) {
+		    sudo_fatalx(U_("too many sudoers entries, maximum %u"),
+			conf->order_padding);
+		}
 		(void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order);
 		print_attribute_ldif(fp, "sudoOrder", numbuf);
 		putc('\n', fp);
--- a/plugins/sudoers/regress/cvtsudoers/test31.conf
+++ b/plugins/sudoers/regress/cvtsudoers/test31.conf
@ -0,0 +1,9 @@
+defaults = all
+expand_aliases = no
+input_format = sudoers
+order_increment = 5
+order_padding = 2
+order_start = 1000
+output_format = ldif                                     
+sudoers_base = ou=SUDOers,dc=my-domain,dc=com
+suppress = defaults
--- a/plugins/sudoers/regress/cvtsudoers/test31.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test31.out.ok
@ -0,0 +1,24 @@
+dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: ALL
+sudoUser: ALL
+sudoHost: ALL
+sudoRunAsUser:
+sudoOption: !authenticate
+sudoCommand: /usr/bin/id
+sudoOrder: 100000
+
+dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: FULLTIMERS
+sudoUser: user1
+sudoUser: user2
+sudoUser: user3
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 100005
+
--- a/plugins/sudoers/regress/cvtsudoers/test31.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test31.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Test cvtsudoers.conf with padding
+#
+
+exec 2>&1
+./cvtsudoers -c $TESTDIR/test31.conf <<EOF
+Defaults authenticate, timestamp_timeout=0
+User_Alias FULLTIMERS = user1, user2, user3
+
+ALL ALL = (:) NOPASSWD:/usr/bin/id
+FULLTIMERS ALL = (ALL:ALL) ALL
+EOF
--- a/plugins/sudoers/regress/cvtsudoers/test32.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test32.out.ok
@ -0,0 +1,120 @@
+cvtsudoers: too many sudoers entries, maximum 10
+dn: cn=user0,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user0
+sudoUser: user0
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10000
+
+dn: cn=user1,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user1
+sudoUser: user1
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10001
+
+dn: cn=user2,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user2
+sudoUser: user2
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10002
+
+dn: cn=user3,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user3
+sudoUser: user3
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10003
+
+dn: cn=user4,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user4
+sudoUser: user4
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10004
+
+dn: cn=user5,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user5
+sudoUser: user5
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10005
+
+dn: cn=user6,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user6
+sudoUser: user6
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10006
+
+dn: cn=user7,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user7
+sudoUser: user7
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10007
+
+dn: cn=user8,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user8
+sudoUser: user8
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10008
+
+dn: cn=user9,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user9
+sudoUser: user9
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 10009
+
+dn: cn=user10,ou=SUDOers,dc=my-domain,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: user10
+sudoUser: user10
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
--- a/plugins/sudoers/regress/cvtsudoers/test32.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test32.sh
@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Test cvtsudoers.conf with invalid padding
+#
+
+exec 2>&1
+./cvtsudoers -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <<EOF
+user0  ALL = (ALL:ALL) ALL
+user1  ALL = (ALL:ALL) ALL
+user2  ALL = (ALL:ALL) ALL
+user3  ALL = (ALL:ALL) ALL
+user4  ALL = (ALL:ALL) ALL
+user5  ALL = (ALL:ALL) ALL
+user6  ALL = (ALL:ALL) ALL
+user7  ALL = (ALL:ALL) ALL
+user8  ALL = (ALL:ALL) ALL
+user9  ALL = (ALL:ALL) ALL
+user10 ALL = (ALL:ALL) ALL
+EOF
+
+exit 0