154 lines
4.5 KiB
Perl
154 lines
4.5 KiB
Perl
#!/usr/bin/env perl
|
|
#
|
|
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
#
|
|
# Permission to use, copy, modify, and distribute this software for any
|
|
# purpose with or without fee is hereby granted, provided that the above
|
|
# copyright notice and this permission notice appear in all copies.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
#
|
|
|
|
use strict;
|
|
|
|
#
|
|
# Converts a sudoers file to LDIF format in prepration for loading into
|
|
# the LDAP server.
|
|
#
|
|
|
|
# BUGS:
|
|
# Does not yet handle multiple lines with : in them
|
|
# Does not yet remove quotation marks from options
|
|
# Does not yet escape + at the beginning of a dn
|
|
# Does not yet handle line wraps correctly
|
|
# Does not yet handle multiple roles with same name (needs tiebreaker)
|
|
#
|
|
# CAVEATS:
|
|
# Sudoers entries can have multiple RunAs entries that override former ones,
|
|
# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
|
|
|
|
my %RA;
|
|
my %UA;
|
|
my %HA;
|
|
my %CA;
|
|
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
|
|
my @options=();
|
|
|
|
my $did_defaults=0;
|
|
my $order = 0;
|
|
|
|
# parse sudoers one line at a time
|
|
while (<>){
|
|
|
|
# remove comment
|
|
s/#.*//;
|
|
|
|
# line continuation
|
|
$_.=<> while s/\\\s*$//s;
|
|
|
|
# cleanup newline
|
|
chomp;
|
|
|
|
# ignore blank lines
|
|
next if /^\s*$/;
|
|
|
|
if (/^Defaults\s+/i) {
|
|
my $opt=$';
|
|
$opt=~s/\s+$//; # remove trailing whitespace
|
|
push @options,$opt;
|
|
} elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
|
|
|
|
# Aliases or Definitions
|
|
my ($p1,$p2,$p3)=($1,$2,$3);
|
|
$p2=~s/\s+$//; # remove trailing whitespace
|
|
$p3=~s/\s+$//; # remove trailing whitespace
|
|
|
|
if ($p1 eq "User_Alias") {
|
|
$UA{$p2}=$p3;
|
|
} elsif ($p1 eq "Runas_Alias") {
|
|
$RA{$p2}=$p3;
|
|
} elsif ($p1 eq "Host_Alias") {
|
|
$HA{$p2}=$p3;
|
|
} elsif ($p1 eq "Cmnd_Alias") {
|
|
$CA{$p2}=$p3;
|
|
} else {
|
|
if (!$did_defaults++){
|
|
# do this once
|
|
print "dn: cn=defaults,$base\n";
|
|
print "objectClass: top\n";
|
|
print "objectClass: sudoRole\n";
|
|
print "cn: defaults\n";
|
|
print "description: Default sudoOption's go here\n";
|
|
print "sudoOption: $_\n" foreach @options;
|
|
printf "sudoOrder: %d\n", ++$order;
|
|
print "\n";
|
|
}
|
|
# Definition
|
|
my @users=split /\s*,\s*/,$p1;
|
|
my @hosts=split /\s*,\s*/,$p2;
|
|
my @cmds= split /\s*,\s*/,$p3;
|
|
@options=();
|
|
print "dn: cn=$users[0],$base\n";
|
|
print "objectClass: top\n";
|
|
print "objectClass: sudoRole\n";
|
|
print "cn: $users[0]\n";
|
|
# will clobber options
|
|
print "sudoUser: $_\n" foreach expand(\%UA,@users);
|
|
print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
|
|
foreach (@cmds) {
|
|
if (s/^\(([^\)]+)\)\s*//) {
|
|
my @runas = split(/:\s*/, $1);
|
|
if (defined($runas[0])) {
|
|
print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
|
|
}
|
|
if (defined($runas[1])) {
|
|
print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
|
|
}
|
|
}
|
|
}
|
|
print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
|
|
print "sudoOption: $_\n" foreach @options;
|
|
printf "sudoOrder: %d\n", ++$order;
|
|
print "\n";
|
|
}
|
|
|
|
} else {
|
|
print "parse error: $_\n";
|
|
}
|
|
|
|
}
|
|
|
|
#
|
|
# recursively expand hash elements
|
|
sub expand{
|
|
my $ref=shift;
|
|
my @a=();
|
|
|
|
# preen the line a little
|
|
foreach (@_){
|
|
# if NOPASSWD: directive found, mark entire entry as not requiring
|
|
s/NOPASSWD:\s*// && push @options,"!authenticate";
|
|
s/PASSWD:\s*// && push @options,"authenticate";
|
|
s/NOEXEC:\s*// && push @options,"noexec";
|
|
s/EXEC:\s*// && push @options,"!noexec";
|
|
s/SETENV:\s*// && push @options,"setenv";
|
|
s/NOSETENV:\s*// && push @options,"!setenv";
|
|
s/LOG_INPUT:\s*// && push @options,"log_input";
|
|
s/NOLOG_INPUT:\s*// && push @options,"!log_input";
|
|
s/LOG_OUTPUT:\s*// && push @options,"log_output";
|
|
s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
|
|
s/[[:upper:]]+://; # silently remove other tags
|
|
s/\s+$//; # right trim
|
|
}
|
|
|
|
# do the expanding
|
|
push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
|
|
@a;
|
|
}
|