mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-30 13:58:05 +00:00
Code Issues Releases Wiki Activity

Add cvtsudoers command line option to suppress certain parts of the

Browse Source 
security policy.  Can be used to suppress displaying of Defaults
entries, aliases or privileges.
This commit is contained in:
Todd C. Miller
2018-03-22 11:38:39 -06:00
parent af6e1cd7c6
commit 8a237eb07d
7 changed files with 110 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
doc/cvtsudoers.cat
View File

@@ -6,7 +6,7 @@ NNAAMMEE
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ccvvttssuuddooeerrss [--eehhVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--ff _o_u_t_p_u_t___f_o_r_m_a_t] ccvvttssuuddooeerrss [--eehhVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--ff _o_u_t_p_u_t___f_o_r_m_a_t]
[--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e]
[--OO _s_t_a_r_t___p_o_i_n_t] [_i_n_p_u_t___f_i_l_e] [--OO _s_t_a_r_t___p_o_i_n_t] [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e]
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file
@@ -113,6 +113,13 @@ DDEESSCCRRIIPPTTIIOONN
point of 0 will disable the generation of sudoOrder point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file. attributes in the resulting LDIF file.
--ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s
Suppress the output of specific _s_e_c_t_i_o_n_s of the security
policy. One or more section names may be specified,
separated by a comma (`,'). The supported section name are:
ddeeffaauullttss, aalliiaasseess and pprriivviilleeggeess (which may be shortened to
pprriivvss).
--VV, ----vveerrssiioonn --VV, ----vveerrssiioonn
Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit. Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit.
@@ -176,4 +183,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 Sudo 1.8.23 March 22, 2018 Sudo 1.8.23

17
doc/cvtsudoers.man.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "CVTSUDOERS" "8" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "CVTSUDOERS" "8" "March 22, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -34,6 +34,7 @@
[\fB\-m\fR\ \fIfilter\fR] [\fB\-m\fR\ \fIfilter\fR]
[\fB\-o\fR\ \fIoutput_file\fR] [\fB\-o\fR\ \fIoutput_file\fR]
[\fB\-O\fR\ \fIstart_point\fR] [\fB\-O\fR\ \fIstart_point\fR]
[\fB\-s\fR\ \fIsections\fR]
[\fIinput_file\fR] [\fIinput_file\fR]
.SH "DESCRIPTION" .SH "DESCRIPTION"
\fBcvtsudoers\fR \fBcvtsudoers\fR
@@ -214,6 +215,20 @@ Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file. attributes in the resulting LDIF file.
.TP 12n .TP 12n
\fB\-s\fR \fIsections\fR, \fB\--suppress\fR=\fIsections\fR
Suppress the output of specific
\fIsections\fR
of the security policy.
One or more section names may be specified, separated by a comma
(\(oq\&,\(cq).
The supported section name are:
\fBdefaults\fR,
\fBaliases\fR
and
\fBprivileges\fR
(which may be shortened to
\fBprivs\fR).
.TP 12n
\fB\-V\fR, \fB\--version\fR \fB\-V\fR, \fB\--version\fR
Print the Print the
\fBcvtsudoers\fR \fBcvtsudoers\fR

16
doc/cvtsudoers.mdoc.in
View File

@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd March 21, 2018 .Dd March 22, 2018
.Dt CVTSUDOERS @mansectsu@ .Dt CVTSUDOERS @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -31,6 +31,7 @@
.Op Fl m Ar filter .Op Fl m Ar filter
.Op Fl o Ar output_file .Op Fl o Ar output_file
.Op Fl O Ar start_point .Op Fl O Ar start_point
.Op Fl s Ar sections
.Op Ar input_file .Op Ar input_file
.Sh DESCRIPTION .Sh DESCRIPTION
.Nm .Nm
@@ -176,6 +177,19 @@ option for details.
Defaults to a starting point of 1. Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file. attributes in the resulting LDIF file.
.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
Suppress the output of specific
.Ar sections
of the security policy.
One or more section names may be specified, separated by a comma
.Pq Ql \&, .
The supported section name are:
.Sy defaults ,
.Sy aliases
and
.Sy privileges
(which may be shortened to
.Sy privs ) .
.It Fl V , -version .It Fl V , -version
Print the Print the
.Nm .Nm

47
plugins/sudoers/cvtsudoers.c
View File

@@ -56,7 +56,7 @@
struct cvtsudoers_filter *filters; struct cvtsudoers_filter *filters;
struct sudo_user sudo_user; struct sudo_user sudo_user;
struct passwd *list_pw; struct passwd *list_pw;
static const char short_opts[] = "b:c:ef:hi:I:m:o:O:V"; static const char short_opts[] = "b:c:ef:hi:I:m:o:O:s:V";
static struct option long_opts[] = { static struct option long_opts[] = {
{ "base", required_argument, NULL, 'b' }, { "base", required_argument, NULL, 'b' },
{ "config", required_argument, NULL, 'c' }, { "config", required_argument, NULL, 'c' },
@@ -68,6 +68,7 @@ static struct option long_opts[] = {
{ "match", required_argument, NULL, 'm' }, { "match", required_argument, NULL, 'm' },
{ "order-start", required_argument, NULL, 'O' }, { "order-start", required_argument, NULL, 'O' },
{ "output", required_argument, NULL, 'o' }, { "output", required_argument, NULL, 'o' },
{ "suppress", required_argument, NULL, 's' },
{ "version", no_argument, NULL, 'V' }, { "version", no_argument, NULL, 'V' },
{ NULL, no_argument, NULL, '\0' }, { NULL, no_argument, NULL, '\0' },
}; };
@@ -81,6 +82,7 @@ static bool cvtsudoers_parse_filter(char *expression);
static bool alias_remove_unused(void); static bool alias_remove_unused(void);
static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file); static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file);
static void cvtsudoers_conf_free(struct cvtsudoers_config *conf); static void cvtsudoers_conf_free(struct cvtsudoers_config *conf);
static int cvtsudoers_parse_suppression(char *expression);
static void filter_userspecs(void); static void filter_userspecs(void);
static void filter_defaults(void); static void filter_defaults(void);
@@ -195,6 +197,11 @@ main(int argc, char *argv[])
usage(1); usage(1);
} }
break; break;
case 's':
conf->suppress = cvtsudoers_parse_suppression(optarg);
if (conf->suppress == -1)
usage(1);
break;
case 'V': case 'V':
(void) printf(_("%s version %s\n"), getprogname(), (void) printf(_("%s version %s\n"), getprogname(),
PACKAGE_VERSION); PACKAGE_VERSION);
@@ -436,6 +443,29 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf)
debug_return; debug_return;
} }
static int
cvtsudoers_parse_suppression(char *expression)
{
char *last = NULL, *cp = expression;
int flags = 0;
debug_decl(cvtsudoers_parse_suppression, SUDOERS_DEBUG_UTIL)
for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
if (strcasecmp(cp, "defaults") == 0) {
SET(flags, SUPPRESS_DEFAULTS);
} else if (strcasecmp(cp, "aliases") == 0) {
SET(flags, SUPPRESS_ALIASES);
} else if (strcasecmp(cp, "privileges") == 0 || strcasecmp(cp, "privs") == 0) {
SET(flags, SUPPRESS_PRIVS);
} else {
sudo_warnx(U_("invalid suppression type: %s"), cp);
debug_return_int(-1);
}
}
debug_return_int(flags);
}
static bool static bool
cvtsudoers_parse_filter(char *expression) cvtsudoers_parse_filter(char *expression)
{ {
@@ -929,15 +959,17 @@ convert_sudoers_sudoers(const char *output_file, struct cvtsudoers_config *conf)
sudo_lbuf_init(&lbuf, convert_sudoers_output, 4, "\\", 80); sudo_lbuf_init(&lbuf, convert_sudoers_output, 4, "\\", 80);
/* Print Defaults */ /* Print Defaults */
if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) {
if (!print_defaults_sudoers(&lbuf, conf->expand_aliases)) if (!print_defaults_sudoers(&lbuf, conf->expand_aliases))
goto done; goto done;
if (lbuf.len > 0) { if (lbuf.len > 0) {
sudo_lbuf_print(&lbuf); sudo_lbuf_print(&lbuf);
sudo_lbuf_append(&lbuf, "\n"); sudo_lbuf_append(&lbuf, "\n");
} }
}
/* Print Aliases */ /* Print Aliases */
if (!conf->expand_aliases) { if (!conf->expand_aliases && !ISSET(conf->suppress, SUPPRESS_ALIASES)) {
if (!print_aliases_sudoers(&lbuf)) if (!print_aliases_sudoers(&lbuf))
goto done; goto done;
if (lbuf.len > 1) { if (lbuf.len > 1) {
@@ -947,11 +979,15 @@ convert_sudoers_sudoers(const char *output_file, struct cvtsudoers_config *conf)
} }
/* Print User_Specs, separated by blank lines. */ /* Print User_Specs, separated by blank lines. */
if (!sudoers_format_userspecs(&lbuf, &userspecs, "\n", conf->expand_aliases, true)) if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) {
if (!sudoers_format_userspecs(&lbuf, &userspecs, "\n",
conf->expand_aliases, true)) {
goto done; goto done;
}
if (lbuf.len > 1) { if (lbuf.len > 1) {
sudo_lbuf_print(&lbuf); sudo_lbuf_print(&lbuf);
} }
}
done: done:
if (sudo_lbuf_error(&lbuf)) { if (sudo_lbuf_error(&lbuf)) {
@@ -977,8 +1013,8 @@ usage(int fatal)
{ {
(void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehV] [-b dn] " (void) fprintf(fatal ? stderr : stdout, "usage: %s [-ehV] [-b dn] "
"[-c conf_file ] [-f output_format] [-i input_format] [-I increment] " "[-c conf_file ] [-f output_format] [-i input_format] [-I increment] "
"[-m filter] [-o output_file] [-O start_point] [input_file]\n", "[-m filter] [-o output_file] [-O start_point] [-s sections] "
getprogname()); "[input_file]\n", getprogname());
if (fatal) if (fatal)
exit(1); exit(1);
} }
@@ -998,6 +1034,7 @@ help(void)
" -m, --match=filter only convert entries that match the filter expression\n" " -m, --match=filter only convert entries that match the filter expression\n"
" -o, --output=output_file write converted sudoers to output_file\n" " -o, --output=output_file write converted sudoers to output_file\n"
" -O, --order-start=num starting point for first sudoOrder\n" " -O, --order-start=num starting point for first sudoOrder\n"
" -s, --suppress=sections suppress output of certain sections\n"
" -V, --version display version information and exit")); " -V, --version display version information and exit"));
exit(0); exit(0);
} }

8
plugins/sudoers/cvtsudoers.h
View File

@@ -37,6 +37,11 @@ struct cvtsudoers_str_list {
unsigned int refcnt; unsigned int refcnt;
}; };
/* Flags for cvtsudoers_config.suppress */
#define SUPPRESS_DEFAULTS 0x01
#define SUPPRESS_ALIASES 0x02
#define SUPPRESS_PRIVS 0x04
/* cvtsudoers.conf settings */ /* cvtsudoers.conf settings */
struct cvtsudoers_config { struct cvtsudoers_config {
char *sudoers_base; char *sudoers_base;
@@ -45,12 +50,13 @@ struct cvtsudoers_config {
char *filter; char *filter;
unsigned int sudo_order; unsigned int sudo_order;
unsigned int order_increment; unsigned int order_increment;
int suppress;
bool expand_aliases; bool expand_aliases;
bool store_options; bool store_options;
}; };
/* Initial config settings for above. */ /* Initial config settings for above. */
#define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, false, true } #define INITIAL_CONFIG { NULL, NULL, NULL, NULL, 1, 1, 0, false, true }
#define CONF_BOOL 0 #define CONF_BOOL 0
#define CONF_UINT 1 #define CONF_UINT 1

12
plugins/sudoers/cvtsudoers_json.c
View File

@@ -1118,14 +1118,20 @@ convert_sudoers_json(const char *output_file, struct cvtsudoers_config *conf)
putc('{', output_fp); putc('{', output_fp);
/* Dump Defaults in JSON format. */ /* Dump Defaults in JSON format. */
need_comma = print_defaults_json(output_fp, indent, conf->expand_aliases, need_comma); if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS)) {
need_comma = print_defaults_json(output_fp, indent,
conf->expand_aliases, need_comma);
}
/* Dump Aliases in JSON format. */ /* Dump Aliases in JSON format. */
if (!conf->expand_aliases) if (!conf->expand_aliases && !ISSET(conf->suppress, SUPPRESS_ALIASES))
need_comma = print_aliases_json(output_fp, indent, need_comma); need_comma = print_aliases_json(output_fp, indent, need_comma);
/* Dump User_Specs in JSON format. */ /* Dump User_Specs in JSON format. */
print_userspecs_json(output_fp, indent, conf->expand_aliases, need_comma); if (!ISSET(conf->suppress, SUPPRESS_PRIVS)) {
print_userspecs_json(output_fp, indent, conf->expand_aliases,
need_comma);
}
/* Close JSON output. */ /* Close JSON output. */
fputs("\n}\n", output_fp); fputs("\n}\n", output_fp);

2
plugins/sudoers/cvtsudoers_ldif.c
View File

@@ -496,9 +496,11 @@ convert_sudoers_ldif(const char *output_file, struct cvtsudoers_config *conf)
seen_users = rbcreate(seen_user_compare); seen_users = rbcreate(seen_user_compare);
/* Dump global Defaults in LDIF format. */ /* Dump global Defaults in LDIF format. */
if (!ISSET(conf->suppress, SUPPRESS_DEFAULTS))
print_global_defaults_ldif(output_fp, conf->sudoers_base); print_global_defaults_ldif(output_fp, conf->sudoers_base);
/* Dump User_Specs in LDIF format, expanding Aliases. */ /* Dump User_Specs in LDIF format, expanding Aliases. */
if (!ISSET(conf->suppress, SUPPRESS_PRIVS))
print_userspecs_ldif(output_fp, conf); print_userspecs_ldif(output_fp, conf);
/* Clean up. */ /* Clean up. */