diff options
Diffstat (limited to 'sudoers/sudoers.rng')
-rw-r--r-- | sudoers/sudoers.rng | 874 |
1 files changed, 446 insertions, 428 deletions
diff --git a/sudoers/sudoers.rng b/sudoers/sudoers.rng index e865118..9720a68 100644 --- a/sudoers/sudoers.rng +++ b/sudoers/sudoers.rng @@ -13,443 +13,461 @@ xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> <a:xslt>sudoers.xsl</a:xslt> <a:version>0.5</a:version> - <start ns="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> + <define name="rng_filename"><value>sudoers.rng</value></define> + <define name="xslt_filename"><value>sudoers.xslt</value></define> + <include href="policy_metadata.rng"/> + + <start> <element name="ipa"> <a:documentation>Doc test.</a:documentation> - <zeroOrMore> - <externalRef href="policy_association.rng"/> - </zeroOrMore> + <ref name="policy_metadata"/> - <externalRef href="policy_metadata.rng"/> + <element name="ipaconfig"> - <a:documentation>Here the definition for the generic part of the policy starts.</a:documentation> - <oneOrMore> - <element name="sudoers"> - <optional> - <element name="option"> - <oneOrMore> - <choice> - <!-- flag options --> - <element name="always_set_home" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="authenticate" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="env_editor" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="env_reset" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="fqdn" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <!-- - this option is ignored by sudo - <element name="ignore_dot" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> ---> - <!-- global option only --> - <element name="ignore_local_sudoers" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="insults" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="log_host" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="log_year" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="long_otp_prompt" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="mail_always" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="mail_badpass" - a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="mail_no_host" - a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="mail_no_perms" - a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="mail_no_user" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="noexec" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="path_info" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="passprompt_override" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="preserve_groups" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="requiretty" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="root_sudo" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="rootpw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="runaspw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="set_home" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="set_logname" a:defaultValue="on"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="setenv" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="shell_noargs" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="stay_setuid" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="targetpw" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <element name="tty_tickets" a:defaultValue="off"> - <choice> - <value>on</value> - <value>off</value> - </choice> - </element> - <!-- integer options --> - <element name="passwd_tries" a:defaultValue="3"> - <data type="integer"> - <param name="minInclusive">1</param> - <param name="maxInclusive">65535</param> - <!-- ??? --> - </data> - </element> - <!-- integer/boolean options --> - <element name="loglinelen" a:defaultValue="80"> - <data type="integer"> - <param name="minInclusive">0</param> - <param name="maxInclusive">65535</param> - <!-- ??? --> - </data> - </element> - <element name="passwd_timeout" a:defaultValue="0"> - <data type="integer"> - <param name="minInclusive">0</param> - <param name="maxInclusive">65535</param> - <!-- ??? --> - </data> - </element> - <element name="timestamp_timeout" a:defaultValue="5"> - <data type="integer"> - <param name="minInclusive">-1</param> - <param name="maxInclusive">65535</param> - <!-- ??? --> - </data> - </element> - <element name="umask" a:defaultValue="0022"> - <data type="string"> - <param name="pattern">(0[0-7]{3})</param> - </data> - </element> - <!-- string options --> - <element name="badpass_message" a:defaultValue="Sorry, try again."> - <text /> - </element> - <element name="editor" a:defaultValue="/PATH/TO/VI"> - <!-- NOTE: absolute path not required --> - <text /> - </element> - <element name="mailsub" a:defaultValue="*** SECURITY information for %h ***"> - <text /> - </element> - <element name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </element> - <element name="passprompt" a:defaultValue="Password:"> - <text /> - </element> - <element name="role" a:defaultValue=""> - <text /> - </element> - <element name="runas_default" a:defaultValue="root"> - <data type="string"> - <param name="pattern"> - [A-Za-z0-9_-]{1,16}</param> - </data> - </element> - <element name="syslog_badpri" a:defaultValue="alert"> - <choice> - <value>emerg</value> - <value>alert</value> - <value>crit</value> - <value>err</value> - <value>warning</value> - <value>notice</value> - <value>info</value> - <value>debug</value> - </choice> - </element> - <element name="syslog_goodpri" a:defaultValue="notice"> - <choice> - <value>emerg</value> - <value>alert</value> - <value>crit</value> - <value>err</value> - <value>warning</value> - <value>notice</value> - <value>info</value> - <value>debug</value> - </choice> - </element> - <element name="timestampdir" a:defaultValue="/var/db/sudo"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </element> - <element name="timestampowner" a:defaultValue="root"> - <data type="string"> - <param name="pattern"> - [A-Za-z0-9_-]{1,16}</param> - </data> - </element> - <element name="type" a:defaultValue=""> - <text /> - </element> - <!-- string/boolean options --> - <!-- possibly bad option for us --> - <element name="exempt_group" a:defaultValue="off"> - <text /> - </element> - <element name="lecture" a:defaultValue="once"> - <choice> - <value>always</value> - <value>never</value> - <value>once</value> - </choice> - </element> - <element name="lecture_file" a:defaultValue="built-in"> - <data type="string"> - <param name="pattern">(/.*|built-in)</param> - </data> - </element> - <!-- possibly bad for us --> - <element name="listpw" a:defaultValue="any"> - <choice> - <value>all</value> - <value>always</value> - <value>any</value> - <value>never</value> - </choice> - </element> - <element name="logfile" a:defaultValue="off"> - <data type="string"> - <param name="pattern">(/.*|off)</param> - </data> - </element> - <element name="mailerflags" a:defaultValue="-t"> - <text /> - </element> - <element name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL"> - <text /> - </element> - <element name="syslog" a:defaultValue="authpriv"> - <choice> - <value>auth</value> - <value>authpriv</value> - <value>daemon</value> - <value>user</value> - <value>local0</value> - <value>local1</value> - <value>local2</value> - <value>local3</value> - <value>local4</value> - <value>local5</value> - <value>local6</value> - <value>local7</value> - <value>off</value> - </choice> - </element> - <element name="verifypw" a:defaultValue="all"> - <choice> - <value>all</value> - <value>always</value> - <value>any</value> - <value>never</value> - </choice> - </element> - <!-- list/boolean options --> - <element name="env_check" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string" /> - </oneOrMore> - </list> - </element> - <element name="env_delete" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string" /> - </oneOrMore> - </list> - </element> - <element name="env_keep" a:defaultValue=""> - <list> - <oneOrMore> - <data type="string" /> - </oneOrMore> - </list> - </element> - </choice> - </oneOrMore> - </element> - </optional> - <zeroOrMore> - <element name="command"> - <element name="path"> - <text /> - </element> - <zeroOrMore> - <element name="args"> - <text /> + <a:documentation>Here the definition for the sudo specific part of the policy starts.</a:documentation> + <oneOrMore> + <element name="sudoers"> + <oneOrMore> + <element name="subject"> + <element name="name"> + <text/> </element> - </zeroOrMore> - <zeroOrMore> - <element name="tag"> + <element name="type"> <choice> - <value>NOPASSWD</value> - <value>PASSWD</value> - <value>NOEXEC</value> - <value>EXEC</value> - <value>SETENV</value> - <value>NOSETENV</value> + <value>posixUser</value> + <value>posixGroup</value> + <value>netgroup</value> + <value>IPAgroup</value> + <value>ALL</value> </choice> </element> - </zeroOrMore> - <!-- XXX actually needs to be user,group,netgroup --> - <zeroOrMore> - <element name="runas"> - <data type="string"> - <param name="pattern">[A-Za-z0-9_-]{1,16}</param> - </data> - </element> - </zeroOrMore> + </element> + </oneOrMore> + + <oneOrMore> + <choice> + <element name="command"> + <element name="path"> + <text /> + </element> + <zeroOrMore> + <element name="args"> + <text /> + </element> + </zeroOrMore> + <zeroOrMore> + <element name="tag"> + <choice> + <value>NOPASSWD</value> + <value>PASSWD</value> + <value>NOEXEC</value> + <value>EXEC</value> + <value>SETENV</value> + <value>NOSETENV</value> + </choice> + </element> + </zeroOrMore> + <!-- XXX actually needs to be user,group,netgroup --> + <zeroOrMore> + <element name="runas"> + <data type="string"> + <param name="pattern">[A-Za-z0-9_-]{1,16}</param> + </data> + </element> + </zeroOrMore> + </element> <!-- command --> + + <element name="option"> + <oneOrMore> + <choice> + <!-- flag options --> + <element name="always_set_home" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="authenticate" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="env_editor" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="env_reset" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="fqdn" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <!-- + this option is ignored by sudo + <element name="ignore_dot" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> </element> - <!-- command --> - </zeroOrMore> - </element> - <!-- sudoers --> - </oneOrMore> - </element> - <!-- ipa --> + --> + <!-- global option only --> + <element name="ignore_local_sudoers" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="insults" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="log_host" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="log_year" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="long_otp_prompt" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_always" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_badpass" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_host" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_perms" + a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="mail_no_user" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="noexec" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="path_info" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="passprompt_override" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="preserve_groups" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="requiretty" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="root_sudo" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="rootpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="runaspw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="set_home" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="set_logname" a:defaultValue="on"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="setenv" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="shell_noargs" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="stay_setuid" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="targetpw" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <element name="tty_tickets" a:defaultValue="off"> + <choice> + <value>on</value> + <value>off</value> + </choice> + </element> + <!-- integer options --> + <element name="passwd_tries" a:defaultValue="3"> + <data type="integer"> + <param name="minInclusive">1</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <!-- integer/boolean options --> + <element name="loglinelen" a:defaultValue="80"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="passwd_timeout" a:defaultValue="0"> + <data type="integer"> + <param name="minInclusive">0</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="timestamp_timeout" a:defaultValue="5"> + <data type="integer"> + <param name="minInclusive">-1</param> + <param name="maxInclusive">65535</param> + <!-- ??? --> + </data> + </element> + <element name="umask" a:defaultValue="0022"> + <data type="string"> + <param name="pattern">(0[0-7]{3})</param> + </data> + </element> + <!-- string options --> + <element name="badpass_message" a:defaultValue="Sorry, try again."> + <text /> + </element> + <element name="editor" a:defaultValue="/PATH/TO/VI"> + <!-- NOTE: absolute path not required --> + <text /> + </element> + <element name="mailsub" a:defaultValue="*** SECURITY information for %h ***"> + <text /> + </element> + <element name="noexec_file" a:defaultValue="/PATH/TO/SUDO_NOEXEC.SO"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <element name="passprompt" a:defaultValue="Password:"> + <text /> + </element> + <element name="role" a:defaultValue=""> + <text /> + </element> + <element name="runas_default" a:defaultValue="root"> + <data type="string"> + <param name="pattern"> + [A-Za-z0-9_-]{1,16}</param> + </data> + </element> + <element name="syslog_badpri" a:defaultValue="alert"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + <element name="syslog_goodpri" a:defaultValue="notice"> + <choice> + <value>emerg</value> + <value>alert</value> + <value>crit</value> + <value>err</value> + <value>warning</value> + <value>notice</value> + <value>info</value> + <value>debug</value> + </choice> + </element> + <element name="timestampdir" a:defaultValue="/var/db/sudo"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <element name="timestampowner" a:defaultValue="root"> + <data type="string"> + <param name="pattern"> + [A-Za-z0-9_-]{1,16}</param> + </data> + </element> + <element name="type" a:defaultValue=""> + <text /> + </element> + <!-- string/boolean options --> + <!-- possibly bad option for us --> + <element name="exempt_group" a:defaultValue="off"> + <text /> + </element> + <element name="lecture" a:defaultValue="once"> + <choice> + <value>always</value> + <value>never</value> + <value>once</value> + </choice> + </element> + <element name="lecture_file" a:defaultValue="built-in"> + <data type="string"> + <param name="pattern">(/.*|built-in)</param> + </data> + </element> + <!-- possibly bad for us --> + <element name="listpw" a:defaultValue="any"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + <element name="logfile" a:defaultValue="off"> + <data type="string"> + <param name="pattern">(/.*|off)</param> + </data> + </element> + <element name="mailerflags" a:defaultValue="-t"> + <text /> + </element> + <element name="mailerpath" a:defaultValue="/PATH/TO/SENDMAIL"> + <text /> + </element> + <element name="syslog" a:defaultValue="authpriv"> + <choice> + <value>auth</value> + <value>authpriv</value> + <value>daemon</value> + <value>user</value> + <value>local0</value> + <value>local1</value> + <value>local2</value> + <value>local3</value> + <value>local4</value> + <value>local5</value> + <value>local6</value> + <value>local7</value> + <value>off</value> + </choice> + </element> + <element name="verifypw" a:defaultValue="all"> + <choice> + <value>all</value> + <value>always</value> + <value>any</value> + <value>never</value> + </choice> + </element> + <!-- list/boolean options --> + <element name="env_check" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + <element name="env_delete" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + <element name="env_keep" a:defaultValue=""> + <list> + <oneOrMore> + <data type="string" /> + </oneOrMore> + </list> + </element> + </choice> + </oneOrMore> + </element> + </choice> + </oneOrMore> + </element> <!-- sudoers --> + </oneOrMore> + </element> <!-- ipaconfig --> + </element> <!-- ipa --> </start> </grammar> |