diff options
author | Sumit Bose <sbose@nb.localdomain> | 2008-09-22 15:53:07 +0200 |
---|---|---|
committer | Sumit Bose <sbose@nb.localdomain> | 2008-09-22 15:53:07 +0200 |
commit | 20a43ad2146c07ae6188fa477bf4c8901c155dd6 (patch) | |
tree | afff66860d6fc181508c75248c51244396d75ca8 | |
parent | f7f5223b43aff240cc973dd169ceb6c038785870 (diff) | |
download | ipa_policy-20a43ad2146c07ae6188fa477bf4c8901c155dd6.tar.gz ipa_policy-20a43ad2146c07ae6188fa477bf4c8901c155dd6.tar.xz ipa_policy-20a43ad2146c07ae6188fa477bf4c8901c155dd6.zip |
updates and comments
-rw-r--r-- | sudoers/sudoers.rng | 954 | ||||
-rw-r--r-- | sudoers/sudoers.xslt | 574 |
2 files changed, 512 insertions, 1016 deletions
diff --git a/sudoers/sudoers.rng b/sudoers/sudoers.rng index 7686f1c..e3330fb 100644 --- a/sudoers/sudoers.rng +++ b/sudoers/sudoers.rng @@ -1,514 +1,492 @@ -<?xml version="1.0" encoding="UTF-8"?> +<?xml version="1.0" encoding="utf-8"?> <grammar xmlns="http://relaxng.org/ns/structure/1.0" - datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" - xmlns:a="http://freeipa.org/xml/rng/ns/annotations/1.0" - xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> +datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" +xmlns:a="http://freeipa.org/xml/rng/ns/annotations/1.0" +xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> - <a:doc> Sudo configuration (/etc/sudoers) </a:doc> + <a:doc>Sudo configuration (/etc/sudoers)</a:doc> + + <a:doc>The following section can be used to register the RNG schema file for the UI</a:doc> + <a:name>sudo</a:name> + <a:description>Creates configuration items for sudo which will be written to /etc/sudoers</a:description> + <a:author>sbose@redhat.com, based on the work of fcusack@redhat.com</a:author> + <a:version>0.5</a:version> <start ns="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> <element name="ipa"> - <oneOrMore> - <element name="sudoers"> - <attribute name="name"/> + + <element name="metadata"> + </element> + + <a:doc>This section describes the associations of a policy, i.e. on which host for what users or groups it should apply. This means, that i a generic policy this section does not exists. It is filled when a client downloads his policies based on the association which are valid for this client.</a:doc> + <zeroOrMore> + <element name="association" ui:noDisplay="on"> + <attribute name="name"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </attribute> <attribute name="type"> <choice> <value>user</value> <value>posixGroup</value> <value>netgroup</value> + <value>host</value> + <value>hostGroup</value> </choice> </attribute> + </element> + </zeroOrMore> - <optional> - <element name="option"> - <oneOrMore> - <choice> - - <!-- flag options --> - - <attribute name="always_set_home" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="authenticate" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="env_editor" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="env_reset" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="fqdn" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - -<!-- + <a:doc>Here the definition for the generic part of the policy starts.</a:doc> + <oneOrMore> + <element name="sudoers"> + <optional> + <element name="option"> + <oneOrMore> + <choice> + <!-- flag options --> + <element name="always_set_home" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="authenticate" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="env_editor" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="env_reset" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="fqdn" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <!-- this option is ignored by sudo - <attribute name="ignore_dot" a:defaultValue="on"> + <element name="ignore_dot" a:defaultValue="on"> <choice> <value>on</value> <value>off</value> </choice> - </attribute> ---> - -<!-- global option only --> - <attribute name="ignore_local_sudoers" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="insults" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="log_host" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="log_year" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="long_otp_prompt" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="mail_always" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="mail_badpass" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="mail_no_host" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="mail_no_perms" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="mail_no_user" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="noexec" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="path_info" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="passprompt_override" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="preserve_groups" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="requiretty" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="root_sudo" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="rootpw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="runaspw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="set_home" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="set_logname" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="setenv" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="shell_noargs" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="stay_setuid" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="targetpw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="tty_tickets" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </attribute> - - <!-- integer options --> - - <attribute name="passwd_tries" a:defaultValue="3"> - <data type="integer"> - <param name="minInclusive"> 1 </param> - <param name="maxInclusive"> 65535 </param> <!-- ??? --> - </data> - </attribute> - - <!-- integer/boolean options --> - - <attribute name="loglinelen" a:defaultValue="80"> - <data type="integer"> - <param name="minInclusive"> 0 </param> - <param name="maxInclusive"> 65535 </param> <!-- ??? --> - </data> - </attribute> - - <attribute name="passwd_timeout" a:defaultValue="0"> - <data type="integer"> - <param name="minInclusive"> 0 </param> - <param name="maxInclusive"> 65535 </param> <!-- ??? --> - </data> - </attribute> - - <attribute name="timestamp_timeout" a:defaultValue="5"> - <data type="integer"> - <param name="minInclusive"> -1 </param> - <param name="maxInclusive"> 65535 </param> <!-- ??? --> - </data> - </attribute> - - <attribute name="umask" a:defaultValue="0022"> - <data type="string"> - <param name="pattern">(0[0-7]{3})</param> - </data> - </attribute> - - <!-- string options --> - <attribute name="badpass_message" a:defaultValue="Sorry, try again."> - <text/> - </attribute> - - <attribute name="editor" a:defaultValue="/PATH/TO/VI"> - <!-- NOTE: absolute path not required --> - <text/> - </attribute> - - <attribute name="mailsub" - a:defaultValue="*** SECURITY information for %h ***"> - <text/> - </attribute> - - <attribute name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </attribute> - - <attribute name="passprompt" a:defaultValue="Password:"> - <text/> - </attribute> - - <attribute name="role" a:defaultValue=""> - <text/> - </attribute> - - <attribute name="runas_default" a:defaultValue="root"> - <data type="string"> - <param name="pattern">[A-Za-z0-9_-]{1,16}</param> - </data> - - </attribute> - - <attribute name="syslog_badpri" a:defaultValue="alert"> - <choice> - <value>emerg</value> - <value>alert</value> - <value>crit</value> - <value>err</value> - <value>warning</value> - <value>notice</value> - <value>info</value> - <value>debug</value> - </choice> - </attribute> - - <attribute name="syslog_goodpri" a:defaultValue="notice"> - <choice> - <value>emerg</value> - <value>alert</value> - <value>crit</value> - <value>err</value> - <value>warning</value> - <value>notice</value> - <value>info</value> - <value>debug</value> - </choice> - </attribute> - - <attribute name="timestampdir" a:defaultValue="/var/db/sudo"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </attribute> - - <attribute name="timestampowner" a:defaultValue="root"> - <data type="string"> - <param name="pattern">[A-Za-z0-9_-]{1,16}</param> - </data> - - </attribute> - - <attribute name="type" a:defaultValue=""> - <text/> - </attribute> - - <!-- string/boolean options --> - -<!-- possibly bad option for us --> - <attribute name="exempt_group" a:defaultValue="off"> - <text/> - </attribute> - - <attribute name="lecture" a:defaultValue="once"> - <choice> - <value>always</value> - <value>never</value> - <value>once</value> - </choice> - </attribute> - - <attribute name="lecture_file" a:defaultValue="built-in"> - <data type="string"> - <param name="pattern">(/.*|built-in)</param> - </data> - </attribute> - -<!-- possibly bad for us --> - <attribute name="listpw" a:defaultValue="any"> - <choice> - <value>all</value> - <value>always</value> - <value>any</value> - <value>never</value> - </choice> - </attribute> - - <attribute name="logfile" a:defaultValue="off"> - <data type="string"> - <param name="pattern">(/.*|off)</param> - </data> - </attribute> - - <attribute name="mailerflags" a:defaultValue="-t"> - <text/> - </attribute> - - <attribute name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL"> - <text/> - </attribute> - - <attribute name="syslog" a:defaultValue="authpriv"> - <choice> - <value>auth</value> - <value>authpriv</value> - <value>daemon</value> - <value>user</value> - <value>local0</value> - <value>local1</value> - <value>local2</value> - <value>local3</value> - <value>local4</value> - <value>local5</value> - <value>local6</value> - <value>local7</value> - <value>off</value> - </choice> - </attribute> - - <attribute name="verifypw" a:defaultValue="all"> - <choice> - <value>all</value> - <value>always</value> - <value>any</value> - <value>never</value> - </choice> - </attribute> - - <!-- list/boolean options --> - - <attribute name="env_check" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string"/> - </oneOrMore> - </list> - </attribute> - - <attribute name="env_delete" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string"/> - </oneOrMore> - </list> - </attribute> - - <attribute name="env_keep" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string"/> - </oneOrMore> - </list> - </attribute> - - </choice> - </oneOrMore> </element> - </optional> - - <zeroOrMore> - <element name="command"> - - <element name="path"> - <text/> - </element> - - <zeroOrMore> - <element name="args"> - <text/> - </element> - </zeroOrMore> - - <zeroOrMore> - <element name="tag"> - <choice> - <value>NOPASSWD</value> - <value>PASSWD</value> - <value>NOEXEC</value> - <value>EXEC</value> - <value>SETENV</value> - <value>NOSETENV</value> - </choice> +--> + <!-- global option only --> + <element name="ignore_local_sudoers" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="insults" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="log_host" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="log_year" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="long_otp_prompt" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_always" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_badpass" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_host" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_perms" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_user" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="noexec" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="path_info" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="passprompt_override" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="preserve_groups" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="requiretty" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="root_sudo" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="rootpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="runaspw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="set_home" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="set_logname" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="setenv" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="shell_noargs" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="stay_setuid" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="targetpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="tty_tickets" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <!-- integer options --> + <element name="passwd_tries" a:defaultValue="3"> + <data type="integer"> + <param name="minInclusive">1</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <!-- integer/boolean options --> + <element name="loglinelen" a:defaultValue="80"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="passwd_timeout" + a:defaultValue="0"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="timestamp_timeout" + a:defaultValue="5"> + <data type="integer"> + <param name="minInclusive">-1</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="umask" a:defaultValue="0022"> + <data type="string"> + <param name="pattern">(0[0-7]{3})</param> + </data> + </element> + <!-- string options --> + <element name="badpass_message" + a:defaultValue="Sorry, try again."> + <text /> + </element> + <element name="editor" + a:defaultValue="/PATH/TO/VI"> + <!-- NOTE: absolute path not required --> + <text /> + </element> + <element name="mailsub" + a:defaultValue="*** SECURITY information for %h ***"> + + <text /> + </element> + <element name="noexec_file" + a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <element name="passprompt" + a:defaultValue="Password:"> + <text /> + </element> + <element name="role" a:defaultValue=""> + <text /> + </element> + <element name="runas_default" + a:defaultValue="root"> + <data type="string"> + <param name="pattern"> + [A-Za-z0-9_-]{1,16}</param> + </data> + </element> + <element name="syslog_badpri" + a:defaultValue="alert"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + <element name="syslog_goodpri" + a:defaultValue="notice"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + <element name="timestampdir" + a:defaultValue="/var/db/sudo"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <element name="timestampowner" + a:defaultValue="root"> + <data type="string"> + <param name="pattern"> + [A-Za-z0-9_-]{1,16}</param> + </data> + </element> + <element name="type" a:defaultValue=""> + <text /> + </element> + <!-- string/boolean options --> + <!-- possibly bad option for us --> + <element name="exempt_group" + a:defaultValue="off"> + <text /> + </element> + <element name="lecture" a:defaultValue="once"> + <choice> + <value>always</value> + <value>never</value> + <value>once</value> + </choice> + </element> + <element name="lecture_file" + a:defaultValue="built-in"> + <data type="string"> + <param name="pattern">(/.*|built-in)</param> + </data> + </element> + <!-- possibly bad for us --> + <element name="listpw" a:defaultValue="any"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + <element name="logfile" a:defaultValue="off"> + <data type="string"> + <param name="pattern">(/.*|off)</param> + </data> + </element> + <element name="mailerflags" a:defaultValue="-t"> + <text /> + </element> + <element name="mailerpath" + a:defaultValue="/PATH/TO/SENDMAIL"> + <text /> + </element> + <element name="syslog" a:defaultValue="authpriv"> + <choice> + <value>auth</value> + <value>authpriv</value> + <value>daemon</value> + <value>user</value> + <value>local0</value> + <value>local1</value> + <value>local2</value> + <value>local3</value> + <value>local4</value> + <value>local5</value> + <value>local6</value> + <value>local7</value> + <value>off</value> + </choice> + </element> + <element name="verifypw" a:defaultValue="all"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + <!-- list/boolean options --> + <element name="env_check" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + <element name="env_delete" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + <element name="env_keep" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + </choice> + </oneOrMore> </element> - </zeroOrMore> - -<!-- XXX actually needs to be user,group,netgroup --> + </optional> <zeroOrMore> - <element name="runas"> - <data type="string"> - <param name="pattern">[A-Za-z0-9_-]{1,16}</param> - </data> - + <element name="command"> + <element name="path"> + <text /> + </element> + <zeroOrMore> + <element name="args"> + <text /> + </element> + </zeroOrMore> + <zeroOrMore> + <element name="tag"> + <choice> + <value>NOPASSWD</value> + <value>PASSWD</value> + <value>NOEXEC</value> + <value>EXEC</value> + <value>SETENV</value> + <value>NOSETENV</value> + </choice> + </element> + </zeroOrMore> + <!-- XXX actually needs to be user,group,netgroup --> + <zeroOrMore> + <element name="runas"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> + </zeroOrMore> </element> + <!-- command --> </zeroOrMore> - - </element> <!-- command --> - </zeroOrMore> - - </element> <!-- sudoers --> + </element> + <!-- sudoers --> </oneOrMore> - </element> <!-- ipa --> + </element> + <!-- ipa --> </start> </grammar> - diff --git a/sudoers/sudoers.xslt b/sudoers/sudoers.xslt index 4b19e51..ab6bd67 100644 --- a/sudoers/sudoers.xslt +++ b/sudoers/sudoers.xslt @@ -3,12 +3,7 @@ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:md="http://freeipa.org/xsl/metadata/1.0" - xmlns:ipa10="http://freeipa.org/xml/rng/ipa/1.0" - xmlns:user10="http://freeipa.org/xml/rng/user/1.0" - xmlns:group10="http://freeipa.org/xml/rng/posixGroup/1.0" - xmlns:netgroup10="http://freeipa.org/xml/rng/netgroup/1.0" - xmlns:sudoOptions10="http://freeipa.org/xml/rng/sudo/sudoOptions/1.0" - xmlns:sudoers10="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> + xmlns:sudoers="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> <md:output_file name="/etc/sudoers" owner="root" group="root" permission="440"/> <xsl:output method="text" indent="no"/> @@ -16,551 +11,74 @@ <xsl:template match="/"> <xsl:text># IPA generated /etc/sudoers: DO NOT EDIT

</xsl:text> - <xsl:apply-templates select="ipa10:ipa"/> + <xsl:apply-templates select="sudoers:ipa"/> </xsl:template> - <xsl:template match="ipa10:ipa"> + <xsl:template match="sudoers:ipa"> <xsl:apply-templates> - <xsl:with-param name="users" select="''"/> + <xsl:with-param name="sudoers:sudoers" select="''"/> </xsl:apply-templates> </xsl:template> - <xsl:template match="user10:user"> - <xsl:param name="users"/> - <xsl:variable name="uids"> - <xsl:call-template name="tokenize"> - <xsl:with-param name="s" select="@uids"/> - </xsl:call-template> - </xsl:variable> - - <xsl:variable name="space"> - <xsl:choose> - <xsl:when test="$users = ''"> - </xsl:when> - <xsl:otherwise> - <xsl:text> </xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - <xsl:apply-templates> - <xsl:with-param name="users" select="concat($users, $space, $uids)"/> - </xsl:apply-templates> - - </xsl:template> - - <xsl:template match="group10:posixGroup"> - <xsl:param name="users"/> - <xsl:variable name="gids"> - <xsl:call-template name="tokenize"> - <xsl:with-param name="s" select="@gids"/> - <xsl:with-param name="prefix" select="'%'"/> + <xsl:template match="sudoers:sudoers"> + <xsl:variable name="name"> + <xsl:call-template name="format_name"> + <xsl:with-param name="name" select="@name"/> + <xsl:with-param name="type" select="@type"/> </xsl:call-template> </xsl:variable> - <xsl:variable name="space"> - <xsl:choose> - <xsl:when test="$users = ''"> - </xsl:when> - <xsl:otherwise> - <xsl:text> </xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - - <xsl:apply-templates> - <xsl:with-param name="users" select="concat($users, $space, $gids)"/> + <xsl:apply-templates select="sudoers:command"> + <xsl:with-param name="name" select="$name"/> </xsl:apply-templates> </xsl:template> - <xsl:template match="netgroup10:netgroup"> - <xsl:param name="users"/> - <xsl:variable name="netgroups"> - <xsl:call-template name="tokenize"> - <!--<xsl:with-param name="s" select="@netgroup"/> --> - <xsl:with-param name="s" select="@groupnames"/> - <xsl:with-param name="prefix" select="'+'"/> + <xsl:template match="sudoers:command"> + <xsl:param name="name"/> + <xsl:variable name="command" select="sudoers:path"/> + <xsl:variable name="runas" select="sudoers:runas"/> + <xsl:variable name="tag"> + <xsl:call-template name="format_tag"> + <xsl:with-param name="tag" select="sudoers:tag"/> </xsl:call-template> </xsl:variable> - <xsl:variable name="space"> - <xsl:choose> - <xsl:when test="$users = ''"> - </xsl:when> - <xsl:otherwise> - <xsl:text> </xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - - <xsl:apply-templates> - <xsl:with-param name="users" select="concat($users, $space, $netgroups)"/> - </xsl:apply-templates> - </xsl:template> - - <xsl:template match="sudoOptions10:sudoOptions"> - <xsl:param name="users"/> - - <xsl:call-template name="defaults"> - <xsl:with-param name="users" select="$users"/> - </xsl:call-template> - <xsl:apply-templates> - <xsl:with-param name="users" select="$users"/> - </xsl:apply-templates> - </xsl:template> - - <xsl:template match="sudoers10:sudoers"> - <xsl:param name="users"/> - <!-- Add this if <sudoers> is allowed to carry option (Defaults) attributes - <xsl:call-template name="defaults"/> - --> - <xsl:apply-templates select="sudoers10:command"> - <xsl:with-param name="users" select="$users"/> - </xsl:apply-templates> - </xsl:template> - - <xsl:template match="sudoers10:command"> - <xsl:param name="users"/> - - <xsl:variable name="runas"> - <xsl:choose> - <xsl:when test="sudoers10:runas"> - <xsl:for-each select="sudoers10:runas"> - <xsl:if test="position() > 1"> - <xsl:text>,</xsl:text> - </xsl:if> - <xsl:value-of select="."/> - </xsl:for-each> - </xsl:when> - <xsl:otherwise> - <xsl:value-of select="'ALL'"/> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - - <xsl:variable name="tags"> - <xsl:choose> - <xsl:when test="sudoers10:tag"> - <xsl:call-template name="tokenize"> - <xsl:with-param name="s" select="sudoers10:tag"/> - <xsl:with-param name="suffix" select="':'"/> - </xsl:call-template> - <!-- Include a trailing space for easier output formatting. --> - <xsl:text> </xsl:text> - </xsl:when> - <xsl:otherwise> - <xsl:value-of select="''"/> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - - <xsl:variable name="command" select="sudoers10:path"/> - <xsl:variable name="args" select="sudoers10:args"/> - - <!-- - user|%group|+netgroup.USER HOST|+netgroup.HOST = (runas) tags: commands - runas::= user|#uid|%group|+netgroup.USER - --> - <xsl:call-template name="tokenize"> - <xsl:with-param name="s" select="$users"/> - <xsl:with-param name="suffix"> - <xsl:text> </xsl:text> - <xsl:text>ALL</xsl:text> - <xsl:text> = (</xsl:text> - <xsl:value-of select="$runas"/> - <xsl:text>) </xsl:text> - <xsl:value-of select="$tags"/> - <xsl:value-of select="$command"/> - <xsl:text> </xsl:text> - <xsl:value-of select="$args"/> - </xsl:with-param> - <xsl:with-param name="separator" select="'
'"/> - </xsl:call-template> - - <xsl:text>
</xsl:text> - </xsl:template> - - <xsl:template name="defaults"> - <xsl:param name="users"/> - - <xsl:for-each select="@*"> - <xsl:variable name="var" select="name()"/> - <xsl:variable name="val" select="."/> - <xsl:variable name="prefix"> - <xsl:choose> - <xsl:when test="$users = ''"> - <xsl:text>Defaults</xsl:text> - </xsl:when> - <xsl:otherwise> - <xsl:text>Defaults:</xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:variable> - - <xsl:call-template name="tokenize"> - <xsl:with-param name="s" select="$users"/> - <xsl:with-param name="prefix"> - <xsl:choose> - <xsl:when test="$users = ''"> - <xsl:text>Defaults</xsl:text> - </xsl:when> - <xsl:otherwise> - <xsl:text>Defaults:</xsl:text> - </xsl:otherwise> - </xsl:choose> - </xsl:with-param> - <xsl:with-param name="suffix"> - <xsl:text> </xsl:text> - - <xsl:choose> - <!-- boolean handling --> - - <xsl:when test="name() = 'always_set_home'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'authenticate'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'env_editor'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'env_reset'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'fqdn'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'ignore_local_sudoers'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'insults'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'log_host'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'log_year'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'long_otp_prompt'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'mail_always'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'mail_badpass'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'mail_no_host'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'mail_no_perms'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'mail_no_user'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'noexec'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'path_info'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'passprompt_override'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'preserve_groups'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'requiretty'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'root_sudo'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'rootpw'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'runaspw'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'set_home'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'set_logname'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'setenv'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'shell_noargs'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'stay_setuid'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'targetpw'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <xsl:when test="name() = 'ttytickets'"> - <xsl:if test=". = 'off'"> - <xsl:text>!</xsl:text> - </xsl:if> - <xsl:value-of select="name()"/> - </xsl:when> - - <!-- boolean/string handling --> - - <xsl:when test="name() = 'syslog'"> - <xsl:choose> - <xsl:when test=". = 'off'"> - <xsl:text>!</xsl:text> - <xsl:value-of select="name()"/> - </xsl:when> - <xsl:otherwise> - <xsl:value-of select="name()"/> - <xsl:text>=</xsl:text> - <xsl:value-of select="."/> - </xsl:otherwise> - </xsl:choose> - </xsl:when> - - <!-- quoted/list handling --> - - <xsl:when test="name() = 'badpass_message'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'mailsub'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'passprompt'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'role'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'mailerflags'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'env_check'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'env_delete'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <xsl:when test="name() = 'env_keep'"> - <xsl:value-of select="$var"/> - <xsl:text>= "</xsl:text> - <xsl:value-of select="$val"/> - <xsl:text>"</xsl:text> - </xsl:when> - - <!-- default handling --> - <xsl:otherwise> - <xsl:value-of select="name()"/> - <xsl:text>=</xsl:text> - <xsl:value-of select="."/> - </xsl:otherwise> - - </xsl:choose> - - <xsl:text>
</xsl:text> - </xsl:with-param> - <xsl:with-param name="separator" select="''"/> - </xsl:call-template> - + <xsl:value-of select="$name"/> + <xsl:text>=</xsl:text> + <xsl:if test="$runas != ''"> + <xsl:text>(</xsl:text> + <xsl:value-of select="$runas"/> + <xsl:text>)</xsl:text> + </xsl:if> + <xsl:text> </xsl:text> + <xsl:value-of select="$tag"/> + <xsl:text> </xsl:text> + <xsl:value-of select="$command"/> <xsl:text>
</xsl:text> - </xsl:for-each> </xsl:template> - <xsl:template name="tokenize"> - <xsl:param name="s" select="."/> - <xsl:param name="delim" select="' '"/> - <xsl:param name="prefix" select="''"/> - <xsl:param name="suffix" select="''"/> - <xsl:param name="separator" select="' '"/> - <xsl:param name="action" select="'output'"/> - <xsl:param name="first" select="true()"/> + <xsl:template name="format_name"> + <xsl:param name="name"/> + <xsl:param name="type"/> <xsl:choose> - <xsl:when test="contains($s, $delim)"> - <xsl:choose> - <xsl:when test="$action = 'output'"> - <xsl:if test="$first != true()"> - <xsl:value-of select="$separator"/> - </xsl:if> - <xsl:value-of select="$prefix"/> - <xsl:value-of select="substring-before($s, $delim)"/> - <xsl:value-of select="$suffix"/> - </xsl:when> - </xsl:choose> - <xsl:call-template name="tokenize"> - <xsl:with-param name="first" select="false()"/> - <xsl:with-param name="s" select="substring-after($s, $delim)"/> - <xsl:with-param name="delim" select="$delim"/> - <xsl:with-param name="prefix" select="$prefix"/> - <xsl:with-param name="suffix" select="$suffix"/> - <xsl:with-param name="separator" select="$separator"/> - <xsl:with-param name="action" select="$action"/> - </xsl:call-template> + <xsl:when test="$type = 'netgroup'"> + <xsl:text>+</xsl:text> + </xsl:when> + <xsl:when test="$type = 'posixGroup'"> + <xsl:text>%</xsl:text> </xsl:when> - <xsl:otherwise> - <xsl:choose> - <xsl:when test="$action = 'output'"> - <xsl:if test="$first != true()"> - <xsl:value-of select="$separator"/> - </xsl:if> - <xsl:value-of select="$prefix"/> - <xsl:value-of select="$s"/> - <xsl:value-of select="$suffix"/> - </xsl:when> - </xsl:choose> - </xsl:otherwise> </xsl:choose> + <xsl:value-of select="$name"/> </xsl:template> + <xsl:template name="format_tag"> + <xsl:param name="tag"/> + + <xsl:if test="$tag != ''"> + <xsl:value-of select="$tag"/> + <xsl:text>:</xsl:text> + </xsl:if> + </xsl:template> </xsl:stylesheet> |