diff options
author | Sumit Bose <sbose@nb.localdomain> | 2008-11-19 22:00:34 +0100 |
---|---|---|
committer | Sumit Bose <sbose@nb.localdomain> | 2008-11-19 22:00:34 +0100 |
commit | d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7 (patch) | |
tree | 404b971e9f05b2454efc6d58197f39de1a3eff40 | |
parent | d3cec427f2227846a38d9c471842fe39eb356481 (diff) | |
download | ipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.tar.gz ipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.tar.xz ipa_policy-d9b81ef3b8fb86072bf48a0991d40417dbf9bfc7.zip |
added alternative version of sudoers RELAX NG schema
-rw-r--r-- | sudoers/sudoers_alternative.rng | 516 | ||||
-rw-r--r-- | sudoers/sudoers_alternative_example_policy.xml | 29 |
2 files changed, 545 insertions, 0 deletions
diff --git a/sudoers/sudoers_alternative.rng b/sudoers/sudoers_alternative.rng new file mode 100644 index 0000000..0715d26 --- /dev/null +++ b/sudoers/sudoers_alternative.rng @@ -0,0 +1,516 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +Author: Sumit Bose <sbose@redhat.com> + +Copyright (C) 2008 Red Hat +see file 'COPYING' for use and warranty information + +This program is free software; you can redistribute it and/or modify it under +the terms of the GNU Lesser General Public License as published by the Free +Software Foundation; version 2 only + +This program is distributed in the hope that it will be useful, but WITHOUT +ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more +details. + +You should have received a copy of the GNU Lesser General Public License +along with this program; see the file COPYING.LGPL. If not, write to the +Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, +MA 02111-1307, USA. +--> +<grammar ns="http://freeipa.org/xml/rng/sudo/1.0" +xmlns="http://relaxng.org/ns/structure/1.0" +datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" +xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + + <a:documentation>Sudo configuration (/etc/sudoers)</a:documentation> + + <a:documentation>The following section can be used to register the RNG schema file for the UI</a:documentation> + <a:name>sudo</a:name> + <a:description>Creates configuration items for sudo which will be written to /etc/sudoers</a:description> + <a:author>sbose@redhat.com, based on the work of fcusack@redhat.com</a:author> + <a:xslt>sudoers.xsl</a:xslt> + <a:version>0.5</a:version> + + <define name="rng_filename"><value>sudoers.rng</value></define> + <define name="xslt_filename"><value>sudoers.xsl</value></define> + <define name="application_name"><value>sudo</value></define> + <include href="policy_metadata.rng"/> + + <start ns="http://freeipa.org/xml/rng/sudo/1.0"> + <element name="ipa"> + <a:documentation>Doc test.</a:documentation> + + <ref name="policy_metadata"/> + + <element name="ipaconfig"> + + <a:documentation>Here the definition for the sudo specific part of the policy starts.</a:documentation> + <oneOrMore> + <element name="sudoers"> + <a:doc>If no user, group and netgroup is given, ALL is assumed</a:doc> + <zeroOrMore> + <element name="user"> + <text/> + </element> + </zeroOrMore> + <zeroOrMore> + <element name="group"> + <text/> + </element> + </zeroOrMore> + <zeroOrMore> + <element name="netgroup"> + <text/> + </element> + </zeroOrMore> + + <optional> + <group> + <element name="command"> + <text /> + </element> + <optional> + <choice> + <element name="NOPASSWD"> + <empty/> + </element> + <element name="PASSWD"> + <empty/> + </element> + </choice> + </optional> + <optional> + <choice> + <element name="NOEXEC"> + <empty/> + </element> + <element name="EXEC"> + <empty/> + </element> + </choice> + </optional> + <optional> + <choice> + <element name="NOSETENV"> + <empty/> + </element> + <element name="SETENV"> + <empty/> + </element> + </choice> + </optional> + <!-- XXX actually needs to be user,group,netgroup --> + <zeroOrMore> + <element name="runas"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> + </zeroOrMore> + </group> + </optional> + + <!-- flag options --> + <optional> + <element name="always_set_home" a:defaultValue="off"> + <a:documentation> + If set, sudo will set the HOME environment variable to + the home directory of the target user (which is root + unless the -u option is used). This effectively means + that the -H flag is always implied. This flag is off by + default. + </a:documentation> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="authenticate" a:defaultValue="on"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="env_editor" a:defaultValue="on"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="env_reset" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="fqdn" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="ignore_local_sudoers" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="insults" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="log_host" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="log_year" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="long_otp_prompt" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="mail_always" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="mail_badpass" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="mail_no_host" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="mail_no_perms" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="mail_no_user" a:defaultValue="on"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="noexec" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="path_info" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="passprompt_override" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="preserve_groups" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="requiretty" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="root_sudo" a:defaultValue="on"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="rootpw" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="runaspw" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="set_home" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="set_logname" a:defaultValue="on"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="setenv" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="shell_noargs" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="stay_setuid" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="targetpw" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <element name="tty_tickets" a:defaultValue="off"> + <data type="boolean"/> + </element> + </optional> + <optional> + <!-- integer options --> + <element name="passwd_tries" a:defaultValue="3"> + <data type="integer"> + <param name="minInclusive">1</param> + <param name="maxInclusive">65535</param> + </data> + </element> + </optional> + <optional> + <!-- integer/boolean options --> + <element name="loglinelen" a:defaultValue="80"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + </data> + </element> + </optional> + <optional> + <element name="passwd_timeout" a:defaultValue="0"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + </data> + </element> + </optional> + <optional> + <element name="timestamp_timeout" a:defaultValue="5"> + <data type="integer"> + <param name="minInclusive">-1</param> + <param name="maxInclusive">65535</param> + </data> + </element> + </optional> + <optional> + <element name="umask" a:defaultValue="0022"> + <data type="string"> + <param name="pattern">(0[0-7]{3})</param> + </data> + </element> + </optional> + <optional> + <!-- string options --> + <element name="badpass_message" a:defaultValue="Sorry, try again."> + <text /> + </element> + </optional> + <optional> + <element name="editor" a:defaultValue="/PATH/TO/VI"> + <!-- NOTE: absolute path not required --> + <text /> + </element> + </optional> + <optional> + <element name="mailsub" a:defaultValue="*** SECURITY information for %h ***"> + <text /> + </element> + </optional> + <optional> + <element name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + </optional> + <optional> + <element name="passprompt" a:defaultValue="Password:"> + <text /> + </element> + </optional> + <optional> + <element name="role" a:defaultValue=""> + <text /> + </element> + </optional> + <optional> + <element name="runas_default" a:defaultValue="root"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> + </optional> + <optional> + <element name="syslog_badpri" a:defaultValue="alert"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + </optional> + <optional> + <element name="syslog_goodpri" a:defaultValue="notice"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + </optional> + <optional> + <element name="timestampdir" a:defaultValue="/var/db/sudo"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + </optional> + <optional> + <element name="timestampowner" a:defaultValue="root"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> + </optional> + <optional> + <element name="type" a:defaultValue=""> + <text /> + </element> + </optional> + <optional> + <!-- string/boolean options --> + <!-- possibly bad option for us --> + <element name="exempt_group" a:defaultValue="off"> + <text /> + </element> + </optional> + <optional> + <element name="lecture" a:defaultValue="once"> + <choice> + <value>always</value> + <value>never</value> + <value>once</value> + </choice> + </element> + </optional> + <optional> + <element name="lecture_file" a:defaultValue="built-in"> + <data type="string"> + <param name="pattern">(/.*|built-in)</param> + </data> + </element> + </optional> + <optional> + <!-- possibly bad for us --> + <element name="listpw" a:defaultValue="any"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + </optional> + <optional> + <element name="logfile" a:defaultValue="off"> + <data type="string"> + <param name="pattern">(/.*|off)</param> + </data> + </element> + </optional> + <optional> + <element name="mailerflags" a:defaultValue="-t"> + <text /> + </element> + </optional> + <optional> + <element name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL"> + <text /> + </element> + </optional> + <optional> + <element name="syslog" a:defaultValue="authpriv"> + <choice> + <value>auth</value> + <value>authpriv</value> + <value>daemon</value> + <value>user</value> + <value>local0</value> + <value>local1</value> + <value>local2</value> + <value>local3</value> + <value>local4</value> + <value>local5</value> + <value>local6</value> + <value>local7</value> + <value>off</value> + </choice> + </element> + </optional> + <optional> + <element name="verifypw" a:defaultValue="all"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + </optional> + <optional> + <!-- list/boolean options --> + <element name="env_check" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + </optional> + <optional> + <element name="env_delete" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + </optional> + <optional> + <element name="env_keep" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + </optional> + </element> <!-- sudoers --> + </oneOrMore> + </element> <!-- ipaconfig --> + </element> <!-- ipa --> + </start> +</grammar> diff --git a/sudoers/sudoers_alternative_example_policy.xml b/sudoers/sudoers_alternative_example_policy.xml new file mode 100644 index 0000000..9124cb9 --- /dev/null +++ b/sudoers/sudoers_alternative_example_policy.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="UTF-8"?> +<ipa xmlns="http://freeipa.org/xml/rng/sudo/1.0"> +<metadata> + <name>simple sudoers example, allowing mount/umount of a CD-ROM</name> + <author>sbose@redhat.com</author> + <version>0.7071</version> + <RNGfile>sudoers.rng</RNGfile> + <XSLTfile>sudoers.xsl</XSLTfile> + <app>sudo</app> +</metadata> + +<ipaconfig> +<sudoers> + <netgroup>abc</netgroup> + <command>/sbin/umount /CDROM</command><NOPASSWD/><runas>root</runas> + <authenticate>true</authenticate> +<!-- <command><path>/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM</path></command>--> +</sudoers> +<sudoers> + <group>def</group> + <authenticate>false</authenticate> +</sudoers> +<sudoers> + <command>/sbin/shutdown -r now</command> + <lecture>always</lecture> +</sudoers> +</ipaconfig> + +</ipa> |