mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-30 05:48:18 +00:00
Code Issues Releases Wiki Activity

Document how to merge sudoers files with cvtsudoers.

Browse Source
This commit is contained in:
Todd C. Miller 2021-11-19 12:29:21 -07:00
parent f5c6e2df7b
commit cc79038730
2 changed files with 161 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
docs/cvtsudoers.man.in
View File

@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.TH "CVTSUDOERS" "1" "October 10, 2021" "Sudo @PACKAGE_VERSION@" "General Commands Manual" .TH "CVTSUDOERS" "1" "November 18, 2021" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -37,23 +37,27 @@
[\fB\-O\fR\ \fIstart_point\fR] [\fB\-O\fR\ \fIstart_point\fR]
[\fB\-P\fR\ \fIpadding\fR] [\fB\-P\fR\ \fIpadding\fR]
[\fB\-s\fR\ \fIsections\fR] [\fB\-s\fR\ \fIsections\fR]
[\fIinput_file\fR] [\fIinput_file\ ...\fR]
.SH "DESCRIPTION" .SH "DESCRIPTION"
The
\fBcvtsudoers\fR \fBcvtsudoers\fR
can be used to convert between utility accepts one or more security policies in either
\fIsudoers\fR \fIsudoers\fR
security policy file formats. or LDIF format as input, and generates a single
The default input format is sudoers. policy of the specified format as output.
The default input format is
\fIsudoers.\fR
The default output format is LDIF. The default output format is LDIF.
It is only possible to convert a It is only possible to convert a policy file that is syntactically correct.
\fIsudoers\fR
file that is syntactically correct.
.PP .PP
If no If no
\fIinput_file\fR \fIinput_file\fR
is specified, or if it is is specified, or if it is
\(oq-\(cq, \(oq-\(cq,
the policy is read from the standard input. the policy is read from the standard input.
Input files may be optionally prefixed with a host name followed by a colon
(\(oq:\&\(cq)
to make the policy rules specific to a host when merging multiple files.
By default, the result is written to the standard output. By default, the result is written to the standard output.
.PP .PP
The options are as follows: The options are as follows:
@ -372,7 +376,64 @@ Print the
and and
\fIsudoers\fR \fIsudoers\fR
grammar versions and exit. grammar versions and exit.
.SS "Merging multiple files"
When multiple input files are specified,
\fBcvtsudoers\fR
will attempt to merge them into a single policy file.
It is assumed that user and group names are consistent among
the policy files to be merged.
For example, user
\(lqbob\(rq
on one host is the same as user
\(lqbob\(rq
on another host.
.PP .PP
When merging policy files, it is possible to prefix the input file name
with a host name, separated by a colon
(\(oq:\&\(cq).
When the files are merged, the host name will be used to restrict
the policy rules to that specific host where possible.
.PP
The merging process is performed as follows:
.TP 3n
\fB\(bu\fR
Each input file is parsed into internal sudoers data structures.
.TP 3n
\fB\(bu\fR
Aliases are merged and renamed as necessary to avoid conflicts.
In the event of a conflict, the first alias found is left as-is and
subsequent aliases of the same name are renamed with a numeric suffix
separated with a underscore
(\(oq_\(cq).
For example, if there are two different aliases named
\fRSERVERS\fR,
the first will be left as-is and the second will be renamed
\fRSERVERS_1\fR.
References to the renamed alias are also updated in the policy file.
Duplicate aliases (those with identical contents) are pruned.
.TP 3n
\fB\(bu\fR
Defaults settings are merged and duplicates are removed.
If there are conflicts in the Defaults settings, a warning is emitted for
each conflict.
If a host name is specified with the input file,
\fBcvtsudoers\fR
will change the global Defaults settings in that file to be host-specific.
A warning is emitted for command, user or runas-specific Defaults settings
which cannot be made host-specific.
.TP 3n
\fB\(bu\fR
Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
\fBcvtsudoers\fR
will change rules that specify a host name of
\fRALL\fR
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
.PP
It is possible to merge policy files with differing formats.
.SS "The cvtsudoers.conf file"
Options in the form Options in the form
\(lqkeyword = value\(rq \(lqkeyword = value\(rq
may also be specified in a configuration file, may also be specified in a configuration file,
@ -502,6 +563,20 @@ format:
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.RE .RE
.fi .fi
.PP
Merge a global
\fIsudoers\fR
file with two host-specific policy files from the hosts
\(lqxyzzy\(rq
and
\(lqplugh\(rq:
.nf
.sp
.RS 6n
$ cvtsudoers -f sudoers -o sudoers.merged sudoers \e
xyzzy:sudoers.xyzzy plugh:sudoers.plugh
.RE
.fi
.SH "SEE ALSO" .SH "SEE ALSO"
sudoers(@mansectform@), sudoers(@mansectform@),
sudoers.ldap(@mansectform@), sudoers.ldap(@mansectform@),

86
docs/cvtsudoers.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd October 10, 2021 .Dd November 18, 2021
.Dt CVTSUDOERS 1 .Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -35,23 +35,27 @@
.Op Fl O Ar start_point .Op Fl O Ar start_point
.Op Fl P Ar padding .Op Fl P Ar padding
.Op Fl s Ar sections .Op Fl s Ar sections
.Op Ar input_file .Op Ar input_file ...
.Sh DESCRIPTION .Sh DESCRIPTION
The
.Nm .Nm
can be used to convert between utility accepts one or more security policies in either
.Em sudoers .Em sudoers
security policy file formats. or LDIF format as input, and generates a single
The default input format is sudoers. policy of the specified format as output.
The default input format is
.Em sudoers.
The default output format is LDIF. The default output format is LDIF.
It is only possible to convert a It is only possible to convert a policy file that is syntactically correct.
.Em sudoers
file that is syntactically correct.
.Pp .Pp
If no If no
.Ar input_file .Ar input_file
is specified, or if it is is specified, or if it is
.Ql - , .Ql - ,
the policy is read from the standard input. the policy is read from the standard input.
Input files may be optionally prefixed with a host name followed by a colon
.Pq Ql :\&
to make the policy rules specific to a host when merging multiple files.
By default, the result is written to the standard output. By default, the result is written to the standard output.
.Pp .Pp
The options are as follows: The options are as follows:
@ -319,7 +323,62 @@ and
.Em sudoers .Em sudoers
grammar versions and exit. grammar versions and exit.
.El .El
.Ss Merging multiple files
When multiple input files are specified,
.Nm
will attempt to merge them into a single policy file.
It is assumed that user and group names are consistent among
the policy files to be merged.
For example, user
.Dq bob
on one host is the same as user
.Dq bob
on another host.
.Pp .Pp
When merging policy files, it is possible to prefix the input file name
with a host name, separated by a colon
.Pq Ql :\& .
When the files are merged, the host name will be used to restrict
the policy rules to that specific host where possible.
.Pp
The merging process is performed as follows:
.Bl -bullet -width 1n
.It
Each input file is parsed into internal sudoers data structures.
.It
Aliases are merged and renamed as necessary to avoid conflicts.
In the event of a conflict, the first alias found is left as-is and
subsequent aliases of the same name are renamed with a numeric suffix
separated with a underscore
.Pq Ql _ .
For example, if there are two different aliases named
.Li SERVERS ,
the first will be left as-is and the second will be renamed
.Li SERVERS_1 .
References to the renamed alias are also updated in the policy file.
Duplicate aliases (those with identical contents) are pruned.
.It
Defaults settings are merged and duplicates are removed.
If there are conflicts in the Defaults settings, a warning is emitted for
each conflict.
If a host name is specified with the input file,
.Nm
will change the global Defaults settings in that file to be host-specific.
A warning is emitted for command, user or runas-specific Defaults settings
which cannot be made host-specific.
.It
Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
.Nm
will change rules that specify a host name of
.Li ALL
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
.El
.Pp
It is possible to merge policy files with differing formats.
.Ss The cvtsudoers.conf file
Options in the form Options in the form
.Dq keyword = value .Dq keyword = value
may also be specified in a configuration file, may also be specified in a configuration file,
@ -426,6 +485,17 @@ format:
.Bd -literal -offset indent .Bd -literal -offset indent
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.Ed .Ed
.Pp
Merge a global
.Em sudoers
file with two host-specific policy files from the hosts
.Dq xyzzy
and
.Dq plugh :
.Bd -literal -offset indent
$ cvtsudoers -f sudoers -o sudoers.merged sudoers \e
xyzzy:sudoers.xyzzy plugh:sudoers.plugh
.Ed
.Sh SEE ALSO .Sh SEE ALSO
.Xr sudoers @mansectform@ , .Xr sudoers @mansectform@ ,
.Xr sudoers.ldap @mansectform@ , .Xr sudoers.ldap @mansectform@ ,