summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@nb.localdomain>2008-11-19 22:00:34 +0100
committerSumit Bose <sbose@nb.localdomain>2008-11-19 22:00:34 +0100
commitd9b81ef3b8fb86072bf48a0991d40417dbf9bfc7 (patch)
tree404b971e9f05b2454efc6d58197f39de1a3eff40
parentd3cec427f2227846a38d9c471842fe39eb356481 (diff)
downloadipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.tar.gz
ipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.tar.xz
ipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.zip
added alternative version of sudoers RELAX NG schema
Diffstat
-rw-r--r--sudoers/sudoers_alternative.rng516
-rw-r--r--sudoers/sudoers_alternative_example_policy.xml29
2 files changed, 545 insertions, 0 deletions
diff --git a/sudoers/sudoers_alternative.rng b/sudoers/sudoers_alternative.rng
new file mode 100644
index 0000000..0715d26
--- /dev/null
+++ b/sudoers/sudoers_alternative.rng
@@ -0,0 +1,516 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Author: Sumit Bose <sbose@redhat.com>
+
+Copyright (C) 2008 Red Hat
+see file 'COPYING' for use and warranty information
+
+This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU Lesser General Public License as published by the Free
+Software Foundation; version 2 only
+
+This program is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+details.
+
+You should have received a copy of the GNU Lesser General Public License
+along with this program; see the file COPYING.LGPL. If not, write to the
+Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+MA 02111-1307, USA.
+-->
+<grammar ns="http://freeipa.org/xml/rng/sudo/1.0"
+xmlns="http://relaxng.org/ns/structure/1.0"
+datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"
+xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0"
+xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0">
+
+ <a:documentation>Sudo configuration (/etc/sudoers)</a:documentation>
+
+ <a:documentation>The following section can be used to register the RNG schema file for the UI</a:documentation>
+ <a:name>sudo</a:name>
+ <a:description>Creates configuration items for sudo which will be written to /etc/sudoers</a:description>
+ <a:author>sbose@redhat.com, based on the work of fcusack@redhat.com</a:author>
+ <a:xslt>sudoers.xsl</a:xslt>
+ <a:version>0.5</a:version>
+
+ <define name="rng_filename"><value>sudoers.rng</value></define>
+ <define name="xslt_filename"><value>sudoers.xsl</value></define>
+ <define name="application_name"><value>sudo</value></define>
+ <include href="policy_metadata.rng"/>
+
+ <start ns="http://freeipa.org/xml/rng/sudo/1.0">
+ <element name="ipa">
+ <a:documentation>Doc test.</a:documentation>
+
+ <ref name="policy_metadata"/>
+
+ <element name="ipaconfig">
+
+ <a:documentation>Here the definition for the sudo specific part of the policy starts.</a:documentation>
+ <oneOrMore>
+ <element name="sudoers">
+ <a:doc>If no user, group and netgroup is given, ALL is assumed</a:doc>
+ <zeroOrMore>
+ <element name="user">
+ <text/>
+ </element>
+ </zeroOrMore>
+ <zeroOrMore>
+ <element name="group">
+ <text/>
+ </element>
+ </zeroOrMore>
+ <zeroOrMore>
+ <element name="netgroup">
+ <text/>
+ </element>
+ </zeroOrMore>
+
+ <optional>
+ <group>
+ <element name="command">
+ <text />
+ </element>
+ <optional>
+ <choice>
+ <element name="NOPASSWD">
+ <empty/>
+ </element>
+ <element name="PASSWD">
+ <empty/>
+ </element>
+ </choice>
+ </optional>
+ <optional>
+ <choice>
+ <element name="NOEXEC">
+ <empty/>
+ </element>
+ <element name="EXEC">
+ <empty/>
+ </element>
+ </choice>
+ </optional>
+ <optional>
+ <choice>
+ <element name="NOSETENV">
+ <empty/>
+ </element>
+ <element name="SETENV">
+ <empty/>
+ </element>
+ </choice>
+ </optional>
+ <!-- XXX actually needs to be user,group,netgroup -->
+ <zeroOrMore>
+ <element name="runas">
+ <data type="string">
+ <param name="pattern">[A-Za-z0-9_-]{1,16}</param>
+ </data>
+ </element>
+ </zeroOrMore>
+ </group>
+ </optional>
+
+ <!-- flag options -->
+ <optional>
+ <element name="always_set_home" a:defaultValue="off">
+ <a:documentation>
+ If set, sudo will set the HOME environment variable to
+ the home directory of the target user (which is root
+ unless the -u option is used). This effectively means
+ that the -H flag is always implied. This flag is off by
+ default.
+ </a:documentation>
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="authenticate" a:defaultValue="on">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="env_editor" a:defaultValue="on">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="env_reset" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="fqdn" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="ignore_local_sudoers" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="insults" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="log_host" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="log_year" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="long_otp_prompt" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mail_always" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mail_badpass" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mail_no_host" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mail_no_perms" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="mail_no_user" a:defaultValue="on">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="noexec" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="path_info" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="passprompt_override" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="preserve_groups" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="requiretty" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="root_sudo" a:defaultValue="on">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="rootpw" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="runaspw" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="set_home" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="set_logname" a:defaultValue="on">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="setenv" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="shell_noargs" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="stay_setuid" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="targetpw" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <element name="tty_tickets" a:defaultValue="off">
+ <data type="boolean"/>
+ </element>
+ </optional>
+ <optional>
+ <!-- integer options -->
+ <element name="passwd_tries" a:defaultValue="3">
+ <data type="integer">
+ <param name="minInclusive">1</param>
+ <param name="maxInclusive">65535</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <!-- integer/boolean options -->
+ <element name="loglinelen" a:defaultValue="80">
+ <data type="integer">
+ <param name="minInclusive">0</param>
+ <param name="maxInclusive">65535</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="passwd_timeout" a:defaultValue="0">
+ <data type="integer">
+ <param name="minInclusive">0</param>
+ <param name="maxInclusive">65535</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="timestamp_timeout" a:defaultValue="5">
+ <data type="integer">
+ <param name="minInclusive">-1</param>
+ <param name="maxInclusive">65535</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="umask" a:defaultValue="0022">
+ <data type="string">
+ <param name="pattern">(0[0-7]{3})</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <!-- string options -->
+ <element name="badpass_message" a:defaultValue="Sorry, try again.">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="editor" a:defaultValue="/PATH/TO/VI">
+ <!-- NOTE: absolute path not required -->
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="mailsub" a:defaultValue="*** SECURITY information for %h ***">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO">
+ <data type="string">
+ <param name="pattern">/.*</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="passprompt" a:defaultValue="Password:">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="role" a:defaultValue="">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="runas_default" a:defaultValue="root">
+ <data type="string">
+ <param name="pattern">[A-Za-z0-9_-]{1,16}</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="syslog_badpri" a:defaultValue="alert">
+ <choice>
+ <value>emerg</value>
+ <value>alert</value>
+ <value>crit</value>
+ <value>err</value>
+ <value>warning</value>
+ <value>notice</value>
+ <value>info</value>
+ <value>debug</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <element name="syslog_goodpri" a:defaultValue="notice">
+ <choice>
+ <value>emerg</value>
+ <value>alert</value>
+ <value>crit</value>
+ <value>err</value>
+ <value>warning</value>
+ <value>notice</value>
+ <value>info</value>
+ <value>debug</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <element name="timestampdir" a:defaultValue="/var/db/sudo">
+ <data type="string">
+ <param name="pattern">/.*</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="timestampowner" a:defaultValue="root">
+ <data type="string">
+ <param name="pattern">[A-Za-z0-9_-]{1,16}</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="type" a:defaultValue="">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <!-- string/boolean options -->
+ <!-- possibly bad option for us -->
+ <element name="exempt_group" a:defaultValue="off">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="lecture" a:defaultValue="once">
+ <choice>
+ <value>always</value>
+ <value>never</value>
+ <value>once</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <element name="lecture_file" a:defaultValue="built-in">
+ <data type="string">
+ <param name="pattern">(/.*|built-in)</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <!-- possibly bad for us -->
+ <element name="listpw" a:defaultValue="any">
+ <choice>
+ <value>all</value>
+ <value>always</value>
+ <value>any</value>
+ <value>never</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <element name="logfile" a:defaultValue="off">
+ <data type="string">
+ <param name="pattern">(/.*|off)</param>
+ </data>
+ </element>
+ </optional>
+ <optional>
+ <element name="mailerflags" a:defaultValue="-t">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL">
+ <text />
+ </element>
+ </optional>
+ <optional>
+ <element name="syslog" a:defaultValue="authpriv">
+ <choice>
+ <value>auth</value>
+ <value>authpriv</value>
+ <value>daemon</value>
+ <value>user</value>
+ <value>local0</value>
+ <value>local1</value>
+ <value>local2</value>
+ <value>local3</value>
+ <value>local4</value>
+ <value>local5</value>
+ <value>local6</value>
+ <value>local7</value>
+ <value>off</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <element name="verifypw" a:defaultValue="all">
+ <choice>
+ <value>all</value>
+ <value>always</value>
+ <value>any</value>
+ <value>never</value>
+ </choice>
+ </element>
+ </optional>
+ <optional>
+ <!-- list/boolean options -->
+ <element name="env_check" a:defaultValue="">
+ <list>
+ <oneOrMore>
+ <data type="string" />
+ </oneOrMore>
+ </list>
+ </element>
+ </optional>
+ <optional>
+ <element name="env_delete" a:defaultValue="">
+ <list>
+ <oneOrMore>
+ <data type="string" />
+ </oneOrMore>
+ </list>
+ </element>
+ </optional>
+ <optional>
+ <element name="env_keep" a:defaultValue="">
+ <list>
+ <oneOrMore>
+ <data type="string" />
+ </oneOrMore>
+ </list>
+ </element>
+ </optional>
+ </element> <!-- sudoers -->
+ </oneOrMore>
+ </element> <!-- ipaconfig -->
+ </element> <!-- ipa -->
+ </start>
+</grammar>
diff --git a/sudoers/sudoers_alternative_example_policy.xml b/sudoers/sudoers_alternative_example_policy.xml
new file mode 100644
index 0000000..9124cb9
--- /dev/null
+++ b/sudoers/sudoers_alternative_example_policy.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ipa xmlns="http://freeipa.org/xml/rng/sudo/1.0">
+<metadata>
+ <name>simple sudoers example, allowing mount/umount of a CD-ROM</name>
+ <author>sbose@redhat.com</author>
+ <version>0.7071</version>
+ <RNGfile>sudoers.rng</RNGfile>
+ <XSLTfile>sudoers.xsl</XSLTfile>
+ <app>sudo</app>
+</metadata>
+
+<ipaconfig>
+<sudoers>
+ <netgroup>abc</netgroup>
+ <command>/sbin/umount /CDROM</command><NOPASSWD/><runas>root</runas>
+ <authenticate>true</authenticate>
+<!-- <command><path>/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM</path></command>-->
+</sudoers>
+<sudoers>
+ <group>def</group>
+ <authenticate>false</authenticate>
+</sudoers>
+<sudoers>
+ <command>/sbin/shutdown -r now</command>
+ <lecture>always</lecture>
+</sudoers>
+</ipaconfig>
+
+</ipa>
generated by cgit (git 2.34.1) at 2024-05-10 07:19:35 +0000