diff options
Diffstat (limited to 'doc/cvtsudoers.cat')
-rw-r--r-- | doc/cvtsudoers.cat | 282 |
1 files changed, 282 insertions, 0 deletions
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat new file mode 100644 index 0000000..d6fcbe3 --- /dev/null +++ b/doc/cvtsudoers.cat @@ -0,0 +1,282 @@ +CVTSUDOERS(1) General Commands Manual CVTSUDOERS(1) + +NNAAMMEE + ccvvttssuuddooeerrss - convert between sudoers file formats + +SSYYNNOOPPSSIISS + ccvvttssuuddooeerrss [--eehhMMppVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--dd _d_e_f_t_y_p_e_s] + [--ff _o_u_t_p_u_t___f_o_r_m_a_t] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t] + [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] [--OO _s_t_a_r_t___p_o_i_n_t] [--PP _p_a_d_d_i_n_g] + [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e] + +DDEESSCCRRIIPPTTIIOONN + ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file + formats. The default input format is sudoers. The default output format + is LDIF. It is only possible to convert a _s_u_d_o_e_r_s file that is + syntactically correct. + + If no _i_n_p_u_t___f_i_l_e is specified, or if it is `-', the policy is read from + the standard input. By default, the result is written to the standard + output. + + The options are as follows: + + --bb _d_n, ----bbaassee=_d_n + The base DN (distinguished name) that will be used when + performing LDAP queries. Typically this is of the form + ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com. + If this option is not specified, the value of the + SUDOERS_BASE environment variable will be used instead. Only + necessary when converting to LDIF format. + + --cc _c_o_n_f___f_i_l_e, ----ccoonnffiigg=_c_o_n_f___f_i_l_e + Specify the path to the configuration file. Defaults to + _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f. + + --dd _d_e_f_t_y_p_e_s, ----ddeeffaauullttss=_d_e_f_t_y_p_e_s + Only convert Defaults entries of the specified types. One or + more Defaults types may be specified, separated by a comma + (`,'). The supported types are: + + all All Defaults entries. + + global Global Defaults entries that are applied regardless + of user, runas, host or command. + + user Per-user Defaults entries. + + runas Per-runas user Defaults entries. + + host Per-host Defaults entries. + + command Per-command Defaults entries. + + See the DDeeffaauullttss section in sudoers(4) for more information. + + If the --dd option is not specified, all Defaults entries will + be converted. + + --ee, ----eexxppaanndd--aalliiaasseess + Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by + default when the output _f_o_r_m_a_t is JSON or sudoers. + + --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t + Specify the output format (case-insensitive). The following + formats are supported: + + JSON JSON (JavaScript Object Notation) files are usually + easier for third-party applications to consume than + the traditional _s_u_d_o_e_r_s format. The various values + have explicit types which removes much of the + ambiguity of the _s_u_d_o_e_r_s format. + + LDIF LDIF (LDAP Data Interchange Format) files can be + imported into an LDAP server for use with + sudoers.ldap(4). + + Conversion to LDIF has the following limitations: + + ++oo Command, host, runas and user-specific Defaults + lines cannot be translated as they don't have an + equivalent in the sudoers LDAP schema. + + ++oo Command, host, runas and user aliases are not + supported by the sudoers LDAP schema so they are + expanded during the conversion. + + sudoers Traditional sudoers format. A new sudoers file + will be reconstructed from the parsed input file. + Comments are not preserved and data from any + include files will be output inline. + + --hh, ----hheellpp Display a short help message to the standard output and exit. + + --ii _i_n_p_u_t___f_o_r_m_a_t, ----iinnppuutt--ffoorrmmaatt=_i_n_p_u_t___f_o_r_m_a_t + Specify the input format. The following formats are + supported: + + LDIF LDIF (LDAP Data Interchange Format) files can be + exported from an LDAP server to convert security + policies used by sudoers.ldap(4). If a base DN + (distinguished name) is specified, only sudoRole + objects that match the base DN will be processed. + Not all sudoOptions specified in a sudoRole can be + translated from LDIF to sudoers format. + + sudoers Traditional sudoers format. This is the default + input format. + + --II _i_n_c_r_e_m_e_n_t, ----iinnccrreemmeenntt=_i_n_c_r_e_m_e_n_t + When generating LDIF output, increment each sudoOrder + attribute by the specified number. Defaults to an increment + of 1. + + --mm _f_i_l_t_e_r, ----mmaattcchh=_f_i_l_t_e_r + Only output rules that match the specified _f_i_l_t_e_r. A _f_i_l_t_e_r + expression is made up of one or more kkeeyy == _v_a_l_u_e pairs, + separated by a comma (`,'). The kkeeyy may be "user", "group" + or "host". For example, uusseerr = _o_p_e_r_a_t_o_r or hhoosstt = _w_w_w. An + upper-case User_Alias or Host_Alias may be specified as the + "user" or "host". + + A matching _s_u_d_o_e_r_s rule may also include users, groups and + hosts that are not part of the _f_i_l_t_e_r. This can happen when + a rule includes multiple users, groups or hosts. To prune + out any non-matching user, group or host from the rules, the + --pp option may be used. + + By default, the password and group databases are not + consulted when matching against the filter so the users and + groups do not need to be present on the local system (see the + --MM option). Only aliases that are referenced by the filtered + policy rules will be displayed. + + --MM, ----mmaattcchh--llooccaall + When the --mm option is also specified, use password and group + database information when matching users and groups in the + filter. Only users and groups in the filter that exist on + the local system will match, and a user's groups will + automatically be added to the filter. If the --MM is _n_o_t + specified, users and groups in the filter do not need to + exist on the local system, but all groups used for matching + must be explicitly listed in the filter. + + --oo _o_u_t_p_u_t___f_i_l_e, ----oouuttppuutt=_o_u_t_p_u_t___f_i_l_e + Write the converted output to _o_u_t_p_u_t___f_i_l_e. If no _o_u_t_p_u_t___f_i_l_e + is specified, or if it is `-', the converted _s_u_d_o_e_r_s policy + will be written to the standard output. + + --OO _s_t_a_r_t___p_o_i_n_t, ----oorrddeerr--ssttaarrtt=_s_t_a_r_t___p_o_i_n_t + When generating LDIF output, use the number specified by + _s_t_a_r_t___p_o_i_n_t in the sudoOrder attribute of the first sudoRole + object. Subsequent sudoRole object use a sudoOrder value + generated by adding an _i_n_c_r_e_m_e_n_t, see the --II option for + details. Defaults to a starting point of 1. A starting + point of 0 will disable the generation of sudoOrder + attributes in the resulting LDIF file. + + --pp, ----pprruunnee--mmaattcchheess + When the --mm option is also specified, ccvvttssuuddooeerrss will prune + out non-matching users, groups and hosts from matching + entries. + + --PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g + When generating LDIF output, construct the initial sudoOrder + value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the + _i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits. + For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and + _i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry + will be 1027000, followed by 1027001, 1027002, etc. If the + number of sudoRole entries is larger than the padding would + allow, ccvvttssuuddooeerrss will exit with an error. By default, no + padding is performed. + + --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s + Suppress the output of specific _s_e_c_t_i_o_n_s of the security + policy. One or more section names may be specified, + separated by a comma (`,'). The supported section name are: + ddeeffaauullttss, aalliiaasseess and pprriivviilleeggeess (which may be shortened to + pprriivvss). + + --VV, ----vveerrssiioonn + Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit. + + Options in the form "keyword = value" may also be specified in a + configuration file, _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f by default. The following + keywords are recognized: + + ddeeffaauullttss == _d_e_f_t_y_p_e_s + See the description of the --dd command line option. + + eexxppaanndd__aalliiaasseess == _y_e_s | _n_o + See the description of the --ee command line option. + + iinnppuutt__ffoorrmmaatt == _l_d_i_f | _s_u_d_o_e_r_s + See the description of the --ii command line option. + + mmaattcchh == _f_i_l_t_e_r + See the description of the --mm command line option. + + oorrddeerr__iinnccrreemmeenntt == _i_n_c_r_e_m_e_n_t + See the description of the --II command line option. + + oorrddeerr__ssttaarrtt == _s_t_a_r_t___p_o_i_n_t + See the description of the --OO command line option. + + oouuttppuutt__ffoorrmmaatt == _j_s_o_n | _l_d_i_f | _s_u_d_o_e_r_s + See the description of the --ff command line option. + + ppaaddddiinngg == _p_a_d_d_i_n_g + See the description of the --PP command line option. + + pprruunnee__mmaattcchheess == _y_e_s | _n_o + See the description of the --pp command line option. + + ssuuddooeerrss__bbaassee == _d_n + See the description of the --bb command line option. + + ssuupppprreessss == _s_e_c_t_i_o_n_s + See the description of the --ss command line option. + + Options on the command line will override values from the configuration + file. + +FFIILLEESS + _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f default configuration for cvtsudoers + +EEXXAAMMPPLLEESS + Convert _/_e_t_c_/_s_u_d_o_e_r_s to LDIF (LDAP Data Interchange Format) where the + _l_d_a_p_._c_o_n_f file uses a _s_u_d_o_e_r_s___b_a_s_e of my-domain,dc=com, storing the + result in _s_u_d_o_e_r_s_._l_d_i_f: + + $ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \ + /etc/sudoers + + Convert _/_e_t_c_/_s_u_d_o_e_r_s to JSON format, storing the result in _s_u_d_o_e_r_s_._j_s_o_n: + + $ cvtsudoers -f json -o sudoers.json /etc/sudoers + + Parse _/_e_t_c_/_s_u_d_o_e_r_s and display only rules that match user _a_m_b_r_o_s_e on host + _h_a_s_t_u_r: + + $ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers + + Same as above, but expand aliases and prune out any non-matching users + and hosts from the expanded entries. + + $ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers + + Convert _s_u_d_o_e_r_s_._l_d_i_f from LDIF to traditional _s_u_d_o_e_r_s format: + + $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif + +SSEEEE AALLSSOO + sudoers(4), sudoers.ldap(4), sudo(1m) + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +BBUUGGSS + If you feel you have found a bug in ccvvttssuuddooeerrss, please submit a bug + report at https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ccvvttssuuddooeerrss is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 December 11, 2018 Sudo 1.8.26 |