summaryrefslogtreecommitdiffstats
path: root/dirsrv/misc
diff options
context:
space:
mode:
Diffstat (limited to 'dirsrv/misc')
-rw-r--r--dirsrv/misc/sudoers2ldif.pl153
1 files changed, 153 insertions, 0 deletions
diff --git a/dirsrv/misc/sudoers2ldif.pl b/dirsrv/misc/sudoers2ldif.pl
new file mode 100644
index 0000000..a94fa04
--- /dev/null
+++ b/dirsrv/misc/sudoers2ldif.pl
@@ -0,0 +1,153 @@
+#!/usr/bin/env perl
+#
+# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+use strict;
+
+#
+# Converts a sudoers file to LDIF format in prepration for loading into
+# the LDAP server.
+#
+
+# BUGS:
+# Does not yet handle multiple lines with : in them
+# Does not yet remove quotation marks from options
+# Does not yet escape + at the beginning of a dn
+# Does not yet handle line wraps correctly
+# Does not yet handle multiple roles with same name (needs tiebreaker)
+#
+# CAVEATS:
+# Sudoers entries can have multiple RunAs entries that override former ones,
+# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
+
+my %RA;
+my %UA;
+my %HA;
+my %CA;
+my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
+my @options=();
+
+my $did_defaults=0;
+my $order = 0;
+
+# parse sudoers one line at a time
+while (<>){
+
+ # remove comment
+ s/#.*//;
+
+ # line continuation
+ $_.=<> while s/\\\s*$//s;
+
+ # cleanup newline
+ chomp;
+
+ # ignore blank lines
+ next if /^\s*$/;
+
+ if (/^Defaults\s+/i) {
+ my $opt=$';
+ $opt=~s/\s+$//; # remove trailing whitespace
+ push @options,$opt;
+ } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
+
+ # Aliases or Definitions
+ my ($p1,$p2,$p3)=($1,$2,$3);
+ $p2=~s/\s+$//; # remove trailing whitespace
+ $p3=~s/\s+$//; # remove trailing whitespace
+
+ if ($p1 eq "User_Alias") {
+ $UA{$p2}=$p3;
+ } elsif ($p1 eq "Runas_Alias") {
+ $RA{$p2}=$p3;
+ } elsif ($p1 eq "Host_Alias") {
+ $HA{$p2}=$p3;
+ } elsif ($p1 eq "Cmnd_Alias") {
+ $CA{$p2}=$p3;
+ } else {
+ if (!$did_defaults++){
+ # do this once
+ print "dn: cn=defaults,$base\n";
+ print "objectClass: top\n";
+ print "objectClass: sudoRole\n";
+ print "cn: defaults\n";
+ print "description: Default sudoOption's go here\n";
+ print "sudoOption: $_\n" foreach @options;
+ printf "sudoOrder: %d\n", ++$order;
+ print "\n";
+ }
+ # Definition
+ my @users=split /\s*,\s*/,$p1;
+ my @hosts=split /\s*,\s*/,$p2;
+ my @cmds= split /\s*,\s*/,$p3;
+ @options=();
+ print "dn: cn=$users[0],$base\n";
+ print "objectClass: top\n";
+ print "objectClass: sudoRole\n";
+ print "cn: $users[0]\n";
+ # will clobber options
+ print "sudoUser: $_\n" foreach expand(\%UA,@users);
+ print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
+ foreach (@cmds) {
+ if (s/^\(([^\)]+)\)\s*//) {
+ my @runas = split(/:\s*/, $1);
+ if (defined($runas[0])) {
+ print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
+ }
+ if (defined($runas[1])) {
+ print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
+ }
+ }
+ }
+ print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
+ print "sudoOption: $_\n" foreach @options;
+ printf "sudoOrder: %d\n", ++$order;
+ print "\n";
+ }
+
+ } else {
+ print "parse error: $_\n";
+ }
+
+}
+
+#
+# recursively expand hash elements
+sub expand{
+ my $ref=shift;
+ my @a=();
+
+ # preen the line a little
+ foreach (@_){
+ # if NOPASSWD: directive found, mark entire entry as not requiring
+ s/NOPASSWD:\s*// && push @options,"!authenticate";
+ s/PASSWD:\s*// && push @options,"authenticate";
+ s/NOEXEC:\s*// && push @options,"noexec";
+ s/EXEC:\s*// && push @options,"!noexec";
+ s/SETENV:\s*// && push @options,"setenv";
+ s/NOSETENV:\s*// && push @options,"!setenv";
+ s/LOG_INPUT:\s*// && push @options,"log_input";
+ s/NOLOG_INPUT:\s*// && push @options,"!log_input";
+ s/LOG_OUTPUT:\s*// && push @options,"log_output";
+ s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
+ s/[[:upper:]]+://; # silently remove other tags
+ s/\s+$//; # right trim
+ }
+
+ # do the expanding
+ push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
+ @a;
+}