summaryrefslogtreecommitdiff
path: root/docs/cvtsudoers.man.in
diff options
context:
space:
mode:
Diffstat (limited to 'docs/cvtsudoers.man.in')
-rw-r--r--docs/cvtsudoers.man.in782
1 files changed, 767 insertions, 15 deletions
diff --git a/docs/cvtsudoers.man.in b/docs/cvtsudoers.man.in
index 5e65be3bf..2b5ac6b78 100644
--- a/docs/cvtsudoers.man.in
+++ b/docs/cvtsudoers.man.in
@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.TH "CVTSUDOERS" "1" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "September 29, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -67,9 +67,8 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
-\fRou=SUDOers,dc=my-domain,dc=com\fR
-for the domain
-\fRmy-domain.com\fR.
+\(lqou=SUDOers,dc=my-domain,dc=com\(rq
+for the domain my-domain.com.
If this option is not specified, the value of the
\fRSUDOERS_BASE\fR
environment variable will be used instead.
@@ -82,10 +81,10 @@ Defaults to
.TP 12n
\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
Only convert
-\fRDefaults\fR
+\fIDefaults\fR
entries of the specified types.
One or more
-\fRDefaults\fR
+\fIDefaults\fR
types may be specified, separated by a comma
(\(oq\&,\(cq).
The supported types are:
@@ -122,7 +121,7 @@ for more information.
If the
\fB\-d\fR
option is not specified, all
-\fRDefaults\fR
+\fIDefaults\fR
entries will be converted.
.RE
.TP 12n
@@ -143,12 +142,9 @@ The following formats are supported:
CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
-For CSV output,
-\fBcvtsudoers\fR
-double quotes strings that contain commas.
-For each literal double quote character present inside the string,
-two double quotes are output.
-This method of quoting commas is compatible with most spreadsheet programs.
+See
+\fICSV output format\fR
+for more details.
.PD
.TP 10n
JSON
@@ -160,6 +156,9 @@ The various values have explicit types which removes much of the
ambiguity of the
\fIsudoers\fR
format.
+See
+\fIJSON output format\fR
+for more details.
.TP 10n
LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
@@ -264,7 +263,12 @@ For example,
\fBuser\fR = \fIoperator\fR
or
\fBhost\fR = \fIwww\fR.
-An upper-case Cmnd_Alias, Host_alias, or Host_Alias may be specified as the
+An upper-case
+\fICmnd_Alias\fR,
+\fIHost_alias\fR,
+or
+\fIUser_Alias\fR
+may be specified as the
\(lqcmnd\(rq,
\(lqhost\(rq,
or
@@ -436,7 +440,7 @@ Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
\fBcvtsudoers\fR
will change rules that specify a host name of
-\fRALL\fR
+\fBALL\fR
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
@@ -522,6 +526,754 @@ command line option.
.PP
Options on the command line will override values from the
configuration file.
+.SS "JSON output format"
+The
+\fIsudoers\fR
+JSON format may contain any of the following top-level objects:
+.TP 6n
+Defaults
+An array of objects, each containing an
+\fIOptions\fR
+array and an optional
+\fIBinding\fR
+array.
+.sp
+The
+\fIOptions\fR
+array consists of one or more objects, each containing a
+\(lqname:value\(rq
+pair that corresponds to a
+\fIsudoers\fR
+\fIDefaults\fR
+setting.
+\fIOptions\fR
+that operate on a list will also include an
+\fIoperation\fR
+entry in the object, with a value of
+\(lqlist_assign\(rq
+for
+\(oq=\(cq,
+\(lqlist_add\(rq
+for
+\(oq+=\(cq,
+or
+\(lqlist_remove\(rq
+for
+\(oq-=\(cq.
+.sp
+The optional
+\fIBinding\fR
+array consists of one or more objects, each containing a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+If a
+\fIBinding\fR
+is present, the setting will only take effect if one of the specified
+\fIcommand\fR,
+\fIhostname\fR,
+\fInetgroup\fR,
+\fInetworkaddr\fR,
+\fInonunixgid\fR,
+\fInonunixgroup\fR,
+\fIusergid\fR,
+\fIusergroup\fR,
+\fIuserid\fR,
+\fIusername\fR,
+or alias entries match.
+.sp
+For example, the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 6n
+Defaults@somehost set_home, env_keep += DISPLAY
+.RE
+.fi
+.RS 6n
+.sp
+converts to:
+.nf
+.sp
+.RS 6n
+"Defaults": [
+ {
+ "Binding": [
+ { "hostname": "somehost" }
+ ],
+ "Options": [
+ { "set_home": true },
+ {
+ "operation": "list_add",
+ "env_keep": [
+ "DISPLAY"
+ ]
+ }
+ ]
+ }
+]
+.RE
+.fi
+.RE
+.TP 6n
+User_Aliases
+A JSON object containing one or more
+\fIsudoers\fR
+\fIUser_Alias\fR
+entries where each named alias has as its value an array
+containing one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fInetgroup\fR,
+\fInonunixgid\fR,
+\fInonunixgroup\fR,
+\fIuseralias\fR,
+\fIusergid\fR,
+\fIusergroup\fR,
+\fIuserid\fR,
+or
+\fIusername\fR.
+.sp
+For example, the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 6n
+User_Alias SYSADMIN = will, %wheel, +admin
+.RE
+.fi
+.RS 6n
+.sp
+converts to:
+.nf
+.sp
+.RS 6n
+"User_Aliases": {
+ "SYSADMIN": [
+ { "username": "will" },
+ { "usergroup": "wheel" },
+ { "netgroup": "admin" }
+ ]
+}
+.RE
+.fi
+.RE
+.TP 6n
+Runas_Aliases
+A JSON object containing one or more
+\fIsudoers\fR
+\fIRunas_Alias\fR
+entries, where each named alias has as its value an array
+containing one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fInetgroup\fR,
+\fInonunixgid\fR,
+\fInonunixgroup\fR,
+\fIrunasalias\fR,
+\fIusergid\fR,
+\fIusergroup\fR,
+\fIuserid\fR,
+or
+\fIusername\fR.
+.sp
+For example, the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 6n
+Runas_Alias DB = oracle, sybase : OP = root, operator
+.RE
+.fi
+.RS 6n
+.sp
+converts to:
+.nf
+.sp
+.RS 6n
+"Runas_Aliases": {
+ "DB": [
+ { "username": "oracle" },
+ { "username": "sybase" }
+ ],
+ "OP": [
+ { "username": "root" },
+ { "username": "operator" }
+ ]
+}
+.RE
+.fi
+.RE
+.TP 6n
+Host_Aliases
+A JSON object containing one or more
+\fIsudoers\fR
+\fIHost_Alias\fR
+entries where each named alias has as its value an array
+containing one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fIhostalias\fR,
+\fIhostname\fR,
+\fInetgroup\fR,
+or
+\fInetworkaddr\fR.
+.sp
+For example, the following
+\fIsudoers\fR
+entries:
+.nf
+.sp
+.RS 6n
+Host_Alias DORMNET = 128.138.243.0, 128.138.204.0/24
+Host_Alias SERVERS = boulder, refuge
+.RE
+.fi
+.RS 6n
+.sp
+convert to:
+.nf
+.sp
+.RS 6n
+"Host_Aliases": {
+ "DORMNET": [
+ { "networkaddr": "128.138.243.0" },
+ { "networkaddr": "128.138.204.0/24" }
+ ],
+ "SERVERS": [
+ { "hostname": "boulder" },
+ { "hostname": "refuge" }
+ ]
+}
+.RE
+.fi
+.RE
+.TP 6n
+Cmnd_Aliases
+A JSON object containing one or more
+\fIsudoers\fR
+\fICmnd_Alias\fR
+entries where each named alias has as its value an array
+containing one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be either another
+\fIcmndalias\fR
+or a
+\fIcommand\fR.
+For example, the following
+\fIsudoers\fR
+entries:
+.nf
+.sp
+.RS 6n
+Cmnd_Alias SHELLS = /bin/bash, /bin/csh, /bin/sh, /bin/zsh
+Cmnd_Alias VIPW = /usr/bin/chpass, /usr/bin/chfn, /usr/bin/chsh, \e
+ /usr/bin/passwd, /usr/sbin/vigr, /usr/sbin/vipw
+.RE
+.fi
+.RS 6n
+.sp
+convert to:
+.nf
+.sp
+.RS 6n
+"Cmnd_Aliases": {
+ "SHELLS": [
+ { "command": "/bin/bash" },
+ { "command": "/bin/csh" },
+ { "command": "/bin/sh" },
+ { "command": "/bin/zsh" }
+ ],
+ "VIPW": [
+ { "command": "/usr/bin/chpass" },
+ { "command": "/usr/bin/chfn" },
+ { "command": "/usr/bin/chsh" },
+ { "command": "/usr/bin/passwd" },
+ { "command": "/usr/sbin/vigr" },
+ { "command": "/usr/sbin/vipw" }
+ ]
+}
+.RE
+.fi
+.RE
+.TP 6n
+User_Specs
+A JSON array containing one or more objects, each representing a
+\fIsudoers\fR
+User_Spec.
+Each object in the
+\fIUser_Specs\fR
+array should contain a
+\fIUser_List\fR
+array, a
+\fIHost_List\fR
+array and a
+\fICmnd_Specs\fR
+array.
+.sp
+A
+\fIUser_List\fR
+consists of one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fInetgroup\fR,
+\fInonunixgid\fR,
+\fInonunixgroup\fR,
+\fIuseralias\fR,
+\fIusergid\fR,
+\fIusergroup\fR,
+\fIuserid\fR,
+or
+\fIusername\fR.
+If
+\fIusername\fR
+is set to the special value
+\fBALL\fR,
+it will match any user.
+.sp
+A
+\fIHost_List\fR
+consists of one or more objects.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fIhostalias\fR,
+\fIhostname\fR,
+\fInetgroup\fR,
+or
+\fInetworkaddr\fR.
+If
+\fIhostname\fR
+is set to the special value
+\fBALL\fR,
+it will match any host.
+.sp
+The
+\fICmnd_Specs\fR
+array consists of one or more JSON objects describing a command that
+may be run.
+Each
+\fICmnd_Specs\fR
+is made up of a
+\fICommands\fR
+array, an optional
+\fIrunasusers\fR
+array, an optional
+\fIrunasgroups\fR
+array, and an optional
+\fIOptions array.\fR
+.sp
+The
+\fICommands\fR
+array consists of one or more objects containing
+\(lqname:value\(rq
+pair elements.
+The following names and values are supported:
+.PP
+.RS 6n
+.PD 0
+.TP 10n
+command
+A string containing the command to run.
+The special value
+\fBALL\fR
+it will match any command.
+.PD
+.TP 10n
+negated
+A boolean value that, if true, will negate any comparison performed
+with the object.
+.TP 10n
+sha224
+A string containing the SHA224 digest of the
+\fIcommand\fR.
+.TP 10n
+sha256
+A string containing the SHA256 digest of the
+\fIcommand\fR.
+.TP 10n
+sha384
+A string containing the SHA384 digest of the
+\fIcommand\fR.
+.TP 10n
+sha512
+A string containing the SHA512 digest of the
+\fIcommand\fR.
+.PP
+The
+\fIrunasusers\fR
+array consists of objects describing users the command may be run as.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fInetgroup\fR,
+\fInonunixgid\fR,
+\fInonunixgroup\fR,
+\fIrunasalias\fR,
+\fIusergid\fR,
+\fIusergroup\fR,
+\fIuserid\fR,
+or
+\fIusername\fR.
+If
+\fIusername\fR
+is set to the special value
+\fBALL\fR,
+it will match any user.
+If
+\fIusername\fR
+is set to the empty string
+\(lq\(rq,
+it will match the invoking user.
+.sp
+The
+\fIrunasgroups\fR
+array consists of objects describing groups the command may be run as.
+Each object contains a
+\(lqname:value\(rq
+pair and an optional
+\fInegated\fR
+entry, which will negate any comparison performed with the object.
+The name may be one of
+\fIrunasalias\fR,
+\fIusergid\fR,
+or
+\fIusergroup\fR.
+If
+\fIusergroup\fR
+is set to the special value
+\fBALL\fR,
+it will match any group.
+.sp
+The
+\fIOptions\fR
+array is of the same format as the one in the
+\fIDefaults\fR
+object.
+Any
+\fITag_Spec\fR
+entries in
+\fIsudoers\fR
+are converted to
+\fIOptions\fR.
+A user with
+\(lqsudo ALL\(rq
+privileges will automatically have the
+\fIsetenv\fR
+option enabled to match the implicit behavior provided by
+\fIsudoers\fR.
+.sp
+For example, the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 6n
+millert ALL = (ALL : ALL) NOPASSWD: ALL, !/usr/bin/id
+.RE
+.fi
+.sp
+converts to:
+.nf
+.sp
+.RS 6n
+"User_Specs": [
+ {
+ "User_List": [
+ { "username": "millert" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "ALL" }
+ ],
+ "runasgroups": [
+ { "usergroup": "ALL" }
+ ],
+ "Options": [
+ { "authenticate": false },
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "ALL" },
+ {
+ "command": "/usr/bin/id",
+ "negated": true
+ }
+ ]
+ }
+ ]
+ }
+]
+.RE
+.fi
+.RE
+.SS "CSV output format"
+CSV (comma-separated value) files are often used by spreadsheets
+and report generators.
+For CSV output,
+\fBcvtsudoers\fR
+double quotes strings that contain commas.
+For each literal double quote character present inside the string,
+two double quotes are output.
+This method of quoting commas is compatible with most spreadsheet programs.
+.PP
+There are three possible sections in
+\fBcvtsudoers\fR's
+CSV output, each separated by a blank line:
+.TP 6n
+defaults
+This section includes any
+\fIDefaults\fR
+settings in
+\fIsudoers\fR.
+The
+\fIdefaults\fR
+section begins with the following heading:
+.nf
+.sp
+.RS 12n
+defaults_type,binding,name,operator,value
+.RE
+.fi
+.RS 6n
+.sp
+The fields are as follows:
+.TP 10n
+defaults_type
+The type of
+\fIDefaults\fR
+setting; one of
+\fIdefaults\fR,
+\fIdefaults_command\fR,
+\fIdefaults_host\fR,
+\fIdefaults_runas\fR,
+or
+\fIdefaults_user\fR.
+.TP 10n
+binding
+For
+\fIdefaults_command\fR,
+\fIdefaults_host\fR,
+\fIdefaults_runas\fR,
+and
+\fIdefaults_user\fR
+this is the value that must match for the setting to be applied.
+.TP 10n
+name
+The name of the
+\fIDefaults\fR
+setting.
+.TP 10n
+operator
+The operator determines how the value is applied to the setting.
+It may be either
+\(oq=\(cq
+(assignment),
+\(oq+=\(cq
+(append),
+or
+\(oq-=\(cq
+(remove).
+.TP 10n
+value
+The setting's value, usually a string or, for
+settings used in a boolean context,
+\fItrue\fR
+or
+\fIfalse\fR.
+.PD 0
+.PP
+.RE
+.PD
+.TP 6n
+aliases
+This section includes any
+\fICmnd_Alias\fR
+\fIHost_Alias\fR,
+\fIRunas_Alias\fR,
+or
+\fIUser_Alias\fR,
+entries from
+\fIsudoers\fR.
+The
+\fIaliases\fR
+section begins with the following heading:
+.nf
+.sp
+.RS 12n
+alias_type,alias_name,members
+.RE
+.fi
+.RS 6n
+.sp
+The fields are as follows:
+.TP 10n
+alias_type
+The type of alias; one of
+\fICmnd_Alias\fR,
+\fIHost_Alias\fR,
+\fIRunas_Alias\fR,
+or
+\fIUser_Alias\fR.
+.TP 10n
+alias_name
+The name of the alias; a string starting with an upper-case letter that
+consists of upper-case letters, digits, or underscores.
+.TP 10n
+members
+A comma-separated list of members belonging to the alias.
+Due to the use of commas,
+\fImembers\fR
+is surrounded by double quotes if it contains more than one member.
+.PD 0
+.PP
+.RE
+.PD
+.TP 6n
+rules
+.br
+This section includes the
+\fIsudoers\fR
+rules that grant privileges.
+The
+\fIrules\fR
+section begins with the following heading:
+.nf
+.sp
+.RS 12n
+rule,user,host,runusers,rungroups,options,command
+.RE
+.fi
+.RS 6n
+.sp
+The fields are as follows:
+.TP 10n
+rule
+This field indicates a
+\fIsudoers\fR
+\fIrule\fR
+entry.
+.TP 10n
+user
+The user the rule applies to.
+This may also be a Unix group (preceded by a
+\(oq%\(cq
+character), a non-Unix group (preceded by
+\(oq%:\(cq)
+or a netgroup (preceded by a
+\(oq+\(cq
+character)
+or a
+\fIUser_Alias\fR.
+If set to the special value
+\fBALL\fR,
+it will match any user.
+.TP 10n
+host
+The host the rule applies to.
+This may also be a netgroup (preceded by a
+\(oq+\(cq
+character)
+or a
+\fIHost_Alias\fR.
+If set to the special value
+\fBALL\fR,
+it will match any host.
+.TP 10n
+runusers
+An optional comma-separated list of users (or
+\fIRunas_Alias\fRes)
+the command may be run as.
+If it contains more than one member, the value is surrounded by
+double quotes.
+If set to the special value
+\fBALL\fR,
+it will match any user.
+If empty, the root user is assumed.
+.TP 10n
+rungroups
+.br
+An optional comma-separated list of groups (or
+\fIRunas_Alias\fRes)
+the command may be run as.
+If it contains more than one member, the value is surrounded by
+double quotes.
+If set to the special value
+\fBALL\fR,
+it will match any group.
+If empty, the
+\fIrunuser\fR's
+group is used.
+.TP 10n
+options
+An optional list of
+\fIDefaults\fR
+settings to apply to the command.
+Any
+\fITag_Spec\fR
+entries in
+\fIsudoers\fR
+are converted to
+\fIoptions\fR.
+.TP 10n
+commands
+A list of commands, with optional arguments, that the user is allowed to run.
+If set to the special value
+\fBALL\fR,
+it will match any command.
+.PP
+For example, the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 6n
+millert ALL = (ALL : ALL) NOPASSWD: ALL, !/usr/bin/id
+.RE
+.fi
+.sp
+converts to:
+.nf
+.sp
+.RS 6n
+rule,millert,ALL,ALL,ALL,"!authenticate","ALL,!/usr/bin/id"
+.RE
+.fi
+.RE
.SH "FILES"
.TP 26n
\fI@sysconfdir@/cvtsudoers.conf\fR
View Lorry Controller Status