summaryrefslogtreecommitdiffstats
path: root/doc/cvtsudoers.cat
diff options
context:
space:
mode:
Diffstat (limited to 'doc/cvtsudoers.cat')
-rw-r--r--doc/cvtsudoers.cat282
1 files changed, 282 insertions, 0 deletions
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
new file mode 100644
index 0000000..d6fcbe3
--- /dev/null
+++ b/doc/cvtsudoers.cat
@@ -0,0 +1,282 @@
+CVTSUDOERS(1) General Commands Manual CVTSUDOERS(1)
+
+NNAAMMEE
+ ccvvttssuuddooeerrss - convert between sudoers file formats
+
+SSYYNNOOPPSSIISS
+ ccvvttssuuddooeerrss [--eehhMMppVV] [--bb _d_n] [--cc _c_o_n_f___f_i_l_e] [--dd _d_e_f_t_y_p_e_s]
+ [--ff _o_u_t_p_u_t___f_o_r_m_a_t] [--ii _i_n_p_u_t___f_o_r_m_a_t] [--II _i_n_c_r_e_m_e_n_t]
+ [--mm _f_i_l_t_e_r] [--oo _o_u_t_p_u_t___f_i_l_e] [--OO _s_t_a_r_t___p_o_i_n_t] [--PP _p_a_d_d_i_n_g]
+ [--ss _s_e_c_t_i_o_n_s] [_i_n_p_u_t___f_i_l_e]
+
+DDEESSCCRRIIPPTTIIOONN
+ ccvvttssuuddooeerrss can be used to convert between _s_u_d_o_e_r_s security policy file
+ formats. The default input format is sudoers. The default output format
+ is LDIF. It is only possible to convert a _s_u_d_o_e_r_s file that is
+ syntactically correct.
+
+ If no _i_n_p_u_t___f_i_l_e is specified, or if it is `-', the policy is read from
+ the standard input. By default, the result is written to the standard
+ output.
+
+ The options are as follows:
+
+ --bb _d_n, ----bbaassee=_d_n
+ The base DN (distinguished name) that will be used when
+ performing LDAP queries. Typically this is of the form
+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
+ If this option is not specified, the value of the
+ SUDOERS_BASE environment variable will be used instead. Only
+ necessary when converting to LDIF format.
+
+ --cc _c_o_n_f___f_i_l_e, ----ccoonnffiigg=_c_o_n_f___f_i_l_e
+ Specify the path to the configuration file. Defaults to
+ _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f.
+
+ --dd _d_e_f_t_y_p_e_s, ----ddeeffaauullttss=_d_e_f_t_y_p_e_s
+ Only convert Defaults entries of the specified types. One or
+ more Defaults types may be specified, separated by a comma
+ (`,'). The supported types are:
+
+ all All Defaults entries.
+
+ global Global Defaults entries that are applied regardless
+ of user, runas, host or command.
+
+ user Per-user Defaults entries.
+
+ runas Per-runas user Defaults entries.
+
+ host Per-host Defaults entries.
+
+ command Per-command Defaults entries.
+
+ See the DDeeffaauullttss section in sudoers(4) for more information.
+
+ If the --dd option is not specified, all Defaults entries will
+ be converted.
+
+ --ee, ----eexxppaanndd--aalliiaasseess
+ Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by
+ default when the output _f_o_r_m_a_t is JSON or sudoers.
+
+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
+ Specify the output format (case-insensitive). The following
+ formats are supported:
+
+ JSON JSON (JavaScript Object Notation) files are usually
+ easier for third-party applications to consume than
+ the traditional _s_u_d_o_e_r_s format. The various values
+ have explicit types which removes much of the
+ ambiguity of the _s_u_d_o_e_r_s format.
+
+ LDIF LDIF (LDAP Data Interchange Format) files can be
+ imported into an LDAP server for use with
+ sudoers.ldap(4).
+
+ Conversion to LDIF has the following limitations:
+
+ ++oo Command, host, runas and user-specific Defaults
+ lines cannot be translated as they don't have an
+ equivalent in the sudoers LDAP schema.
+
+ ++oo Command, host, runas and user aliases are not
+ supported by the sudoers LDAP schema so they are
+ expanded during the conversion.
+
+ sudoers Traditional sudoers format. A new sudoers file
+ will be reconstructed from the parsed input file.
+ Comments are not preserved and data from any
+ include files will be output inline.
+
+ --hh, ----hheellpp Display a short help message to the standard output and exit.
+
+ --ii _i_n_p_u_t___f_o_r_m_a_t, ----iinnppuutt--ffoorrmmaatt=_i_n_p_u_t___f_o_r_m_a_t
+ Specify the input format. The following formats are
+ supported:
+
+ LDIF LDIF (LDAP Data Interchange Format) files can be
+ exported from an LDAP server to convert security
+ policies used by sudoers.ldap(4). If a base DN
+ (distinguished name) is specified, only sudoRole
+ objects that match the base DN will be processed.
+ Not all sudoOptions specified in a sudoRole can be
+ translated from LDIF to sudoers format.
+
+ sudoers Traditional sudoers format. This is the default
+ input format.
+
+ --II _i_n_c_r_e_m_e_n_t, ----iinnccrreemmeenntt=_i_n_c_r_e_m_e_n_t
+ When generating LDIF output, increment each sudoOrder
+ attribute by the specified number. Defaults to an increment
+ of 1.
+
+ --mm _f_i_l_t_e_r, ----mmaattcchh=_f_i_l_t_e_r
+ Only output rules that match the specified _f_i_l_t_e_r. A _f_i_l_t_e_r
+ expression is made up of one or more kkeeyy == _v_a_l_u_e pairs,
+ separated by a comma (`,'). The kkeeyy may be "user", "group"
+ or "host". For example, uusseerr = _o_p_e_r_a_t_o_r or hhoosstt = _w_w_w. An
+ upper-case User_Alias or Host_Alias may be specified as the
+ "user" or "host".
+
+ A matching _s_u_d_o_e_r_s rule may also include users, groups and
+ hosts that are not part of the _f_i_l_t_e_r. This can happen when
+ a rule includes multiple users, groups or hosts. To prune
+ out any non-matching user, group or host from the rules, the
+ --pp option may be used.
+
+ By default, the password and group databases are not
+ consulted when matching against the filter so the users and
+ groups do not need to be present on the local system (see the
+ --MM option). Only aliases that are referenced by the filtered
+ policy rules will be displayed.
+
+ --MM, ----mmaattcchh--llooccaall
+ When the --mm option is also specified, use password and group
+ database information when matching users and groups in the
+ filter. Only users and groups in the filter that exist on
+ the local system will match, and a user's groups will
+ automatically be added to the filter. If the --MM is _n_o_t
+ specified, users and groups in the filter do not need to
+ exist on the local system, but all groups used for matching
+ must be explicitly listed in the filter.
+
+ --oo _o_u_t_p_u_t___f_i_l_e, ----oouuttppuutt=_o_u_t_p_u_t___f_i_l_e
+ Write the converted output to _o_u_t_p_u_t___f_i_l_e. If no _o_u_t_p_u_t___f_i_l_e
+ is specified, or if it is `-', the converted _s_u_d_o_e_r_s policy
+ will be written to the standard output.
+
+ --OO _s_t_a_r_t___p_o_i_n_t, ----oorrddeerr--ssttaarrtt=_s_t_a_r_t___p_o_i_n_t
+ When generating LDIF output, use the number specified by
+ _s_t_a_r_t___p_o_i_n_t in the sudoOrder attribute of the first sudoRole
+ object. Subsequent sudoRole object use a sudoOrder value
+ generated by adding an _i_n_c_r_e_m_e_n_t, see the --II option for
+ details. Defaults to a starting point of 1. A starting
+ point of 0 will disable the generation of sudoOrder
+ attributes in the resulting LDIF file.
+
+ --pp, ----pprruunnee--mmaattcchheess
+ When the --mm option is also specified, ccvvttssuuddooeerrss will prune
+ out non-matching users, groups and hosts from matching
+ entries.
+
+ --PP _p_a_d_d_i_n_g, ----ppaaddddiinngg=_p_a_d_d_i_n_g
+ When generating LDIF output, construct the initial sudoOrder
+ value by concatenating _o_r_d_e_r___s_t_a_r_t and _i_n_c_r_e_m_e_n_t, padding the
+ _i_n_c_r_e_m_e_n_t with zeros until it consists of _p_a_d_d_i_n_g digits.
+ For example, if _o_r_d_e_r___s_t_a_r_t is 1027, _p_a_d_d_i_n_g is 3, and
+ _i_n_c_r_e_m_e_n_t is 1, the value of sudoOrder for the first entry
+ will be 1027000, followed by 1027001, 1027002, etc. If the
+ number of sudoRole entries is larger than the padding would
+ allow, ccvvttssuuddooeerrss will exit with an error. By default, no
+ padding is performed.
+
+ --ss _s_e_c_t_i_o_n_s, ----ssuupppprreessss=_s_e_c_t_i_o_n_s
+ Suppress the output of specific _s_e_c_t_i_o_n_s of the security
+ policy. One or more section names may be specified,
+ separated by a comma (`,'). The supported section name are:
+ ddeeffaauullttss, aalliiaasseess and pprriivviilleeggeess (which may be shortened to
+ pprriivvss).
+
+ --VV, ----vveerrssiioonn
+ Print the ccvvttssuuddooeerrss and _s_u_d_o_e_r_s grammar versions and exit.
+
+ Options in the form "keyword = value" may also be specified in a
+ configuration file, _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f by default. The following
+ keywords are recognized:
+
+ ddeeffaauullttss == _d_e_f_t_y_p_e_s
+ See the description of the --dd command line option.
+
+ eexxppaanndd__aalliiaasseess == _y_e_s | _n_o
+ See the description of the --ee command line option.
+
+ iinnppuutt__ffoorrmmaatt == _l_d_i_f | _s_u_d_o_e_r_s
+ See the description of the --ii command line option.
+
+ mmaattcchh == _f_i_l_t_e_r
+ See the description of the --mm command line option.
+
+ oorrddeerr__iinnccrreemmeenntt == _i_n_c_r_e_m_e_n_t
+ See the description of the --II command line option.
+
+ oorrddeerr__ssttaarrtt == _s_t_a_r_t___p_o_i_n_t
+ See the description of the --OO command line option.
+
+ oouuttppuutt__ffoorrmmaatt == _j_s_o_n | _l_d_i_f | _s_u_d_o_e_r_s
+ See the description of the --ff command line option.
+
+ ppaaddddiinngg == _p_a_d_d_i_n_g
+ See the description of the --PP command line option.
+
+ pprruunnee__mmaattcchheess == _y_e_s | _n_o
+ See the description of the --pp command line option.
+
+ ssuuddooeerrss__bbaassee == _d_n
+ See the description of the --bb command line option.
+
+ ssuupppprreessss == _s_e_c_t_i_o_n_s
+ See the description of the --ss command line option.
+
+ Options on the command line will override values from the configuration
+ file.
+
+FFIILLEESS
+ _/_e_t_c_/_c_v_t_s_u_d_o_e_r_s_._c_o_n_f default configuration for cvtsudoers
+
+EEXXAAMMPPLLEESS
+ Convert _/_e_t_c_/_s_u_d_o_e_r_s to LDIF (LDAP Data Interchange Format) where the
+ _l_d_a_p_._c_o_n_f file uses a _s_u_d_o_e_r_s___b_a_s_e of my-domain,dc=com, storing the
+ result in _s_u_d_o_e_r_s_._l_d_i_f:
+
+ $ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \
+ /etc/sudoers
+
+ Convert _/_e_t_c_/_s_u_d_o_e_r_s to JSON format, storing the result in _s_u_d_o_e_r_s_._j_s_o_n:
+
+ $ cvtsudoers -f json -o sudoers.json /etc/sudoers
+
+ Parse _/_e_t_c_/_s_u_d_o_e_r_s and display only rules that match user _a_m_b_r_o_s_e on host
+ _h_a_s_t_u_r:
+
+ $ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
+
+ Same as above, but expand aliases and prune out any non-matching users
+ and hosts from the expanded entries.
+
+ $ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
+
+ Convert _s_u_d_o_e_r_s_._l_d_i_f from LDIF to traditional _s_u_d_o_e_r_s format:
+
+ $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
+
+SSEEEE AALLSSOO
+ sudoers(4), sudoers.ldap(4), sudo(1m)
+
+AAUUTTHHOORRSS
+ Many people have worked on ssuuddoo over the years; this version consists of
+ code written primarily by:
+
+ Todd C. Miller
+
+ See the CONTRIBUTORS file in the ssuuddoo distribution
+ (https://www.sudo.ws/contributors.html) for an exhaustive list of people
+ who have contributed to ssuuddoo.
+
+BBUUGGSS
+ If you feel you have found a bug in ccvvttssuuddooeerrss, please submit a bug
+ report at https://bugzilla.sudo.ws/
+
+SSUUPPPPOORRTT
+ Limited free support is available via the sudo-users mailing list, see
+ https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+DDIISSCCLLAAIIMMEERR
+ ccvvttssuuddooeerrss is provided "AS IS" and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with ssuuddoo or https://www.sudo.ws/license.html for
+ complete details.
+
+Sudo 1.8.26 December 11, 2018 Sudo 1.8.26