diff options
-rw-r--r-- | sudoers/sudoers.rng | 486 | ||||
-rwxr-xr-x | sudoers/sudoers2xml | 20 |
2 files changed, 479 insertions, 27 deletions
diff --git a/sudoers/sudoers.rng b/sudoers/sudoers.rng index 6787df7..7686f1c 100644 --- a/sudoers/sudoers.rng +++ b/sudoers/sudoers.rng @@ -1,22 +1,474 @@ <?xml version="1.0" encoding="UTF-8"?> <grammar xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" - xmlns:a="http://freeipa.org/xml/rng/ns/annotations/1.0"> + xmlns:a="http://freeipa.org/xml/rng/ns/annotations/1.0" + xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> <a:doc> Sudo configuration (/etc/sudoers) </a:doc> - <include href="username.rng"/> - <start ns="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> + <element name="ipa"> + <oneOrMore> <element name="sudoers"> + <attribute name="name"/> + <attribute name="type"> + <choice> + <value>user</value> + <value>posixGroup</value> + <value>netgroup</value> + </choice> + </attribute> - <oneOrMore> + <optional> + <element name="option"> + <oneOrMore> + <choice> + + <!-- flag options --> + + <attribute name="always_set_home" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="authenticate" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="env_editor" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="env_reset" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="fqdn" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + +<!-- + this option is ignored by sudo + <attribute name="ignore_dot" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> +--> + +<!-- global option only --> + <attribute name="ignore_local_sudoers" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="insults" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="log_host" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="log_year" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="long_otp_prompt" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="mail_always" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="mail_badpass" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="mail_no_host" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="mail_no_perms" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="mail_no_user" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="noexec" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="path_info" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="passprompt_override" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="preserve_groups" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="requiretty" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="root_sudo" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="rootpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="runaspw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="set_home" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="set_logname" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="setenv" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="shell_noargs" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="stay_setuid" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="targetpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="tty_tickets" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </attribute> + + <!-- integer options --> + + <attribute name="passwd_tries" a:defaultValue="3"> + <data type="integer"> + <param name="minInclusive"> 1 </param> + <param name="maxInclusive"> 65535 </param> <!-- ??? --> + </data> + </attribute> + + <!-- integer/boolean options --> + + <attribute name="loglinelen" a:defaultValue="80"> + <data type="integer"> + <param name="minInclusive"> 0 </param> + <param name="maxInclusive"> 65535 </param> <!-- ??? --> + </data> + </attribute> + + <attribute name="passwd_timeout" a:defaultValue="0"> + <data type="integer"> + <param name="minInclusive"> 0 </param> + <param name="maxInclusive"> 65535 </param> <!-- ??? --> + </data> + </attribute> + + <attribute name="timestamp_timeout" a:defaultValue="5"> + <data type="integer"> + <param name="minInclusive"> -1 </param> + <param name="maxInclusive"> 65535 </param> <!-- ??? --> + </data> + </attribute> + + <attribute name="umask" a:defaultValue="0022"> + <data type="string"> + <param name="pattern">(0[0-7]{3})</param> + </data> + </attribute> + + <!-- string options --> + <attribute name="badpass_message" a:defaultValue="Sorry, try again."> + <text/> + </attribute> + + <attribute name="editor" a:defaultValue="/PATH/TO/VI"> + <!-- NOTE: absolute path not required --> + <text/> + </attribute> + + <attribute name="mailsub" + a:defaultValue="*** SECURITY information for %h ***"> + <text/> + </attribute> + + <attribute name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </attribute> + + <attribute name="passprompt" a:defaultValue="Password:"> + <text/> + </attribute> + + <attribute name="role" a:defaultValue=""> + <text/> + </attribute> + + <attribute name="runas_default" a:defaultValue="root"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + + </attribute> + + <attribute name="syslog_badpri" a:defaultValue="alert"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </attribute> + + <attribute name="syslog_goodpri" a:defaultValue="notice"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </attribute> + + <attribute name="timestampdir" a:defaultValue="/var/db/sudo"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </attribute> + + <attribute name="timestampowner" a:defaultValue="root"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + + </attribute> + + <attribute name="type" a:defaultValue=""> + <text/> + </attribute> + + <!-- string/boolean options --> + +<!-- possibly bad option for us --> + <attribute name="exempt_group" a:defaultValue="off"> + <text/> + </attribute> + + <attribute name="lecture" a:defaultValue="once"> + <choice> + <value>always</value> + <value>never</value> + <value>once</value> + </choice> + </attribute> + + <attribute name="lecture_file" a:defaultValue="built-in"> + <data type="string"> + <param name="pattern">(/.*|built-in)</param> + </data> + </attribute> + +<!-- possibly bad for us --> + <attribute name="listpw" a:defaultValue="any"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </attribute> + + <attribute name="logfile" a:defaultValue="off"> + <data type="string"> + <param name="pattern">(/.*|off)</param> + </data> + </attribute> + + <attribute name="mailerflags" a:defaultValue="-t"> + <text/> + </attribute> + + <attribute name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL"> + <text/> + </attribute> + + <attribute name="syslog" a:defaultValue="authpriv"> + <choice> + <value>auth</value> + <value>authpriv</value> + <value>daemon</value> + <value>user</value> + <value>local0</value> + <value>local1</value> + <value>local2</value> + <value>local3</value> + <value>local4</value> + <value>local5</value> + <value>local6</value> + <value>local7</value> + <value>off</value> + </choice> + </attribute> + + <attribute name="verifypw" a:defaultValue="all"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </attribute> + + <!-- list/boolean options --> + + <attribute name="env_check" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string"/> + </oneOrMore> + </list> + </attribute> + + <attribute name="env_delete" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string"/> + </oneOrMore> + </list> + </attribute> + + <attribute name="env_keep" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string"/> + </oneOrMore> + </list> + </attribute> + + </choice> + </oneOrMore> + </element> + </optional> + + <zeroOrMore> <element name="command"> - <optional> - <element name="options"> - <ref name="options"/> - </element> - </optional> <element name="path"> <text/> @@ -44,21 +496,19 @@ <!-- XXX actually needs to be user,group,netgroup --> <zeroOrMore> <element name="runas"> - <ref name="username_pattern"/> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> </zeroOrMore> </element> <!-- command --> - </oneOrMore> + </zeroOrMore> </element> <!-- sudoers --> + </oneOrMore> + </element> <!-- ipa --> </start> - <define name="options"> - <zeroOrMore> - <choice> - <attribute name="dummy_attribute"/> - </choice> - </zeroOrMore> - </define> </grammar> diff --git a/sudoers/sudoers2xml b/sudoers/sudoers2xml index 4ce9b18..75bb6c9 100755 --- a/sudoers/sudoers2xml +++ b/sudoers/sudoers2xml @@ -37,7 +37,7 @@ $user_group_attributename{'user'}='uids'; my $did_defaults=0; print '<?xml version="1.0" encoding="UTF-8"?>'."\n"; -print '<ipa xmlns="http://freeipa.org/xml/rng/ipa/1.0">'."\n"; +print '<ipa xmlns="http://freeipa.org/xml/rng/sudo/sudoers/1.0">'."\n"; # parse sudoers one line at a time while (<>){ @@ -85,13 +85,14 @@ while (<>){ ##print "cn: defaults\n"; ##print "description: Default sudoOption's go here\n"; ##print "sudoOption: $_\n" foreach @options; - print '<sudoOptions xmlns="http://freeipa.org/xml/rng/sudo/sudoOptions/1.0" '; + ##print '<sudoOptions xmlns="http://freeipa.org/xml/rng/sudo/sudoOptions/1.0" '; + print tl() . "<sudoers name=\"ALL\" type=\"ALL\">\n<option "; #print "$_ " foreach @options; foreach ( split /,/, (join ',', @options) ) { $_ =~ s/=(.*)/=\"$1\"/; print "$_ "; } - print "/>\n"; + print "/></sudoers>\n"; print "\n"; } # Definition @@ -105,15 +106,16 @@ while (<>){ my $type="user"; $type="posixGroup" if $user =~ s/^%//; $type="netgroup" if $user =~ s/^\+//; - print "<$type $user_group_namespaces{$type} $user_group_attributename{$type}=\"$user\">\n"; - tl(1); + ##print "<$type $user_group_namespaces{$type} $user_group_attributename{$type}=\"$user\">\n"; + ##tl(1); # only "global" user options here!!! #if (@options) { # print tl() . '<sudoOptions xmlns="http://freeipa.org/xml/rng/sudo/sudoOptions/1.0"'; # print "$_ " foreach @options; # print "/>\n"; #} - print tl() . '<sudoers xmlns="http://freeipa.org/xml/rng/sudo/sudoers/1.0">'."\n"; + ##print tl() . '<sudoers xmlns="http://freeipa.org/xml/rng/sudo/sudoers/1.0">'."\n"; + print tl() . "<sudoers name=\"$user\" type=\"$type\">\n"; tl(1); #print Dumper(%CA, @cmds); my @mycmds=@cmds; @@ -123,14 +125,14 @@ while (<>){ if ( $command =~ s/^\(([^\)]+)\)\s*//) { $runas .= "<runas>$_</runas>" foreach expand(\%RA, split(/,\s*/, $1)); } - foreach (expand(\%CA,$command)) { + foreach my $exp_command (expand(\%CA,$command)) { my $tag=''; if (@options) { $tag = '<tag>'; $tag .= "$_ " foreach @options; $tag =~ s/ $/<\/tag>/; } - print tl() . "<command><path>$_</path>$tag$runas</command>\n" + print tl() . "<command><path>$exp_command</path>$tag$runas</command>\n" } @options=(); } @@ -152,7 +154,7 @@ while (<>){ ##} ##print "sudoCommand: $_\n" foreach expand(\%CA,@cmds); ##print "sudoOption: $_\n" foreach @options; - print "</$type>\n"; + ##print "</$type>\n"; print "\n"; } } |