diff options
Diffstat (limited to 'dirsrv/misc/sudoers2ldif.pl')
| -rw-r--r-- | dirsrv/misc/sudoers2ldif.pl | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/dirsrv/misc/sudoers2ldif.pl b/dirsrv/misc/sudoers2ldif.pl new file mode 100644 index 0000000..a94fa04 --- /dev/null +++ b/dirsrv/misc/sudoers2ldif.pl @@ -0,0 +1,153 @@ +#!/usr/bin/env perl +# +# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# + +use strict; + +# +# Converts a sudoers file to LDIF format in prepration for loading into +# the LDAP server. +# + +# BUGS: +# Does not yet handle multiple lines with : in them +# Does not yet remove quotation marks from options +# Does not yet escape + at the beginning of a dn +# Does not yet handle line wraps correctly +# Does not yet handle multiple roles with same name (needs tiebreaker) +# +# CAVEATS: +# Sudoers entries can have multiple RunAs entries that override former ones, +# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole + +my %RA; +my %UA; +my %HA; +my %CA; +my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n"; +my @options=(); + +my $did_defaults=0; +my $order = 0; + +# parse sudoers one line at a time +while (<>){ + + # remove comment + s/#.*//; + + # line continuation + $_.=<> while s/\\\s*$//s; + + # cleanup newline + chomp; + + # ignore blank lines + next if /^\s*$/; + + if (/^Defaults\s+/i) { + my $opt=$'; + $opt=~s/\s+$//; # remove trailing whitespace + push @options,$opt; + } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) { + + # Aliases or Definitions + my ($p1,$p2,$p3)=($1,$2,$3); + $p2=~s/\s+$//; # remove trailing whitespace + $p3=~s/\s+$//; # remove trailing whitespace + + if ($p1 eq "User_Alias") { + $UA{$p2}=$p3; + } elsif ($p1 eq "Runas_Alias") { + $RA{$p2}=$p3; + } elsif ($p1 eq "Host_Alias") { + $HA{$p2}=$p3; + } elsif ($p1 eq "Cmnd_Alias") { + $CA{$p2}=$p3; + } else { + if (!$did_defaults++){ + # do this once + print "dn: cn=defaults,$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: defaults\n"; + print "description: Default sudoOption's go here\n"; + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + # Definition + my @users=split /\s*,\s*/,$p1; + my @hosts=split /\s*,\s*/,$p2; + my @cmds= split /\s*,\s*/,$p3; + @options=(); + print "dn: cn=$users[0],$base\n"; + print "objectClass: top\n"; + print "objectClass: sudoRole\n"; + print "cn: $users[0]\n"; + # will clobber options + print "sudoUser: $_\n" foreach expand(\%UA,@users); + print "sudoHost: $_\n" foreach expand(\%HA,@hosts); + foreach (@cmds) { + if (s/^\(([^\)]+)\)\s*//) { + my @runas = split(/:\s*/, $1); + if (defined($runas[0])) { + print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0])); + } + if (defined($runas[1])) { + print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1])); + } + } + } + print "sudoCommand: $_\n" foreach expand(\%CA,@cmds); + print "sudoOption: $_\n" foreach @options; + printf "sudoOrder: %d\n", ++$order; + print "\n"; + } + + } else { + print "parse error: $_\n"; + } + +} + +# +# recursively expand hash elements +sub expand{ + my $ref=shift; + my @a=(); + + # preen the line a little + foreach (@_){ + # if NOPASSWD: directive found, mark entire entry as not requiring + s/NOPASSWD:\s*// && push @options,"!authenticate"; + s/PASSWD:\s*// && push @options,"authenticate"; + s/NOEXEC:\s*// && push @options,"noexec"; + s/EXEC:\s*// && push @options,"!noexec"; + s/SETENV:\s*// && push @options,"setenv"; + s/NOSETENV:\s*// && push @options,"!setenv"; + s/LOG_INPUT:\s*// && push @options,"log_input"; + s/NOLOG_INPUT:\s*// && push @options,"!log_input"; + s/LOG_OUTPUT:\s*// && push @options,"log_output"; + s/NOLOG_OUTPUT:\s*// && push @options,"!log_output"; + s/[[:upper:]]+://; # silently remove other tags + s/\s+$//; # right trim + } + + # do the expanding + push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_; + @a; +} |