diff options
Diffstat (limited to '')
71 files changed, 1286 insertions, 0 deletions
diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers b/plugins/sudoers/regress/cvtsudoers/sudoers new file mode 100644 index 0000000..6f66083 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers @@ -0,0 +1,126 @@ +# +# Sample /etc/sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. + +## +# Override built-in defaults +## +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +## +# User alias specification +## +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBMASTERS = will, wendy, wim + +## +# Runas alias specification +## +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase + +## +# Host alias specification +## +Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ + SGI = grolsch, dandelion, black:\ + ALPHA = widget, thalamus, foobar:\ + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +## +# Cmnd alias specification +## +Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt, \ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups +Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +## +# User specification +## + +# root and users in group wheel can run anything on any machine as any user +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL + +# full time sysadmins can run anything on any machine without a password +FULLTIMERS ALL = NOPASSWD: ALL + +# part time sysadmins may run anything but need a password +PARTTIMERS ALL = ALL + +# jack may run anything on machines in CSNETS +jack CSNETS = ALL + +# lisa may run any command on any host in CUNETS (a class B network) +lisa CUNETS = ALL + +# operator may run maintenance commands and anything in /usr/oper/bin/ +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + +# joe may su only to operator +joe ALL = /usr/bin/su operator + +# pete may change passwords for anyone but root on the hp snakes +pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* + +# bob may run anything on the sparc and sgi machines as any user +# listed in the Runas_Alias "OP" (ie: root and operator) +bob SPARC = (OP) ALL : SGI = (OP) ALL + +# fred can run commands as oracle or sybase without a password +fred ALL = (DB) NOPASSWD: ALL + +# on the alphas, john may su to anyone but root and flags are not allowed +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + +# jen can run anything on all machines except the ones +# in the "SERVERS" Host_Alias +jen ALL, !SERVERS = ALL + +# jill can run any commands in the directory /usr/bin/, except for +# those in the SU and SHELLS aliases. +jill SERVERS = /usr/bin/, !SU, !SHELLS + +# steve can run any command in the directory /usr/local/op_commands/ +# as user operator. +steve CSNETS = (operator) /usr/local/op_commands/ + +# matt needs to be able to kill things on his workstation when +# they get hung. +matt valkyrie = KILL + +# users in the WEBMASTERS User_Alias (will, wendy, and wim) +# may run any command as user www (which owns the web pages) +# or simply su to www. +WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + +# anyone can mount/unmount a cd-rom on the machines in the CDROM alias +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers.defs b/plugins/sudoers/regress/cvtsudoers/sudoers.defs new file mode 100755 index 0000000..c6bfa93 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers.defs @@ -0,0 +1,19 @@ +Defaults syslog=auth +Defaults>ROOT !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl + +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +Runas_Alias ROOT = root, toor +Runas_Alias OPERATOR = operator, backup diff --git a/plugins/sudoers/regress/cvtsudoers/test1.out.ok b/plugins/sudoers/regress/cvtsudoers/test1.out.ok new file mode 100644 index 0000000..da3f555 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test1.out.ok @@ -0,0 +1,14 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults!PAGERS noexec + +Host_Alias CDROM = orion, perseus, hercules +User_Alias FULLTIMERS = millert, mikef, dowdy +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +FULLTIMERS ALL = NOPASSWD: ALL + +ALL CDROM = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o nosuid\,nodev\ + /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/test1.sh b/plugins/sudoers/regress/cvtsudoers/test1.sh new file mode 100755 index 0000000..e2ff3cf --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test1.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test user and host filters +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -m user=millert,host=hercules $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test10.out.ok b/plugins/sudoers/regress/cvtsudoers/test10.out.ok new file mode 100644 index 0000000..26a05d2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test10.out.ok @@ -0,0 +1 @@ +Defaults!PAGERS noexec diff --git a/plugins/sudoers/regress/cvtsudoers/test10.sh b/plugins/sudoers/regress/cvtsudoers/test10.sh new file mode 100755 index 0000000..25df83c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test10.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test command defaults filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d command $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test11.out.ok b/plugins/sudoers/regress/cvtsudoers/test11.out.ok new file mode 100644 index 0000000..5c4c4e8 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test11.out.ok @@ -0,0 +1,7 @@ +Defaults!PAGERS noexec + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +User_Alias PARTTIMERS = bostley, jwfox, crawl +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test11.sh b/plugins/sudoers/regress/cvtsudoers/test11.sh new file mode 100755 index 0000000..1466689 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test11.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -d command $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test12.out.ok b/plugins/sudoers/regress/cvtsudoers/test12.out.ok new file mode 100644 index 0000000..7f2b15e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test12.out.ok @@ -0,0 +1,8 @@ +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate + +Host_Alias CDROM = orion, perseus, hercules +User_Alias FULLTIMERS = millert, mikef, dowdy +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test12.sh b/plugins/sudoers/regress/cvtsudoers/test12.sh new file mode 100755 index 0000000..ea0f6bc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test12.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -d user $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test13.out.ok b/plugins/sudoers/regress/cvtsudoers/test13.out.ok new file mode 100644 index 0000000..791dcba --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test13.out.ok @@ -0,0 +1,7 @@ +Defaults@SERVERS log_year, logfile=/var/log/sudo.log + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Host_Alias SERVERS = master, mail, www, ns +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test13.sh b/plugins/sudoers/regress/cvtsudoers/test13.sh new file mode 100755 index 0000000..4dd4750 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test13.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -d host $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test14.out.ok b/plugins/sudoers/regress/cvtsudoers/test14.out.ok new file mode 100644 index 0000000..3f7710a --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test14.out.ok @@ -0,0 +1,7 @@ +Defaults>ROOT !set_logname + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Runas_Alias ROOT = root, toor +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test14.sh b/plugins/sudoers/regress/cvtsudoers/test14.sh new file mode 100755 index 0000000..3f31076 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test14.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -d runas $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test15.out.ok b/plugins/sudoers/regress/cvtsudoers/test15.out.ok new file mode 100644 index 0000000..5177139 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test15.out.ok @@ -0,0 +1 @@ +user1 host1, host2, host3 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test15.sh b/plugins/sudoers/regress/cvtsudoers/test15.sh new file mode 100755 index 0000000..04a2788 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test15.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test filters and pruning +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -p -m user=user1 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test16.out.ok b/plugins/sudoers/regress/cvtsudoers/test16.out.ok new file mode 100644 index 0000000..38359b1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test16.out.ok @@ -0,0 +1 @@ +user2 host2 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test16.sh b/plugins/sudoers/regress/cvtsudoers/test16.sh new file mode 100755 index 0000000..712cdeb --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test16.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test filters and pruning +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -p -m user=user2,host=host2 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test17.out.ok b/plugins/sudoers/regress/cvtsudoers/test17.out.ok new file mode 100644 index 0000000..d35dd06 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test17.out.ok @@ -0,0 +1 @@ +%group1 host1 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test17.sh b/plugins/sudoers/regress/cvtsudoers/test17.sh new file mode 100755 index 0000000..9892de4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test17.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test filters and pruning +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -p -m group=group1,host=host1 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test18.out.ok b/plugins/sudoers/regress/cvtsudoers/test18.out.ok new file mode 100644 index 0000000..3055452 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test18.out.ok @@ -0,0 +1 @@ +%group1 ALL = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test18.sh b/plugins/sudoers/regress/cvtsudoers/test18.sh new file mode 100755 index 0000000..5ce7c88 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test18.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test filters and pruning +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -p -m group=group1,host=somehost <<EOF +user1, user2, user3, %group1 ALL = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test19.out.ok b/plugins/sudoers/regress/cvtsudoers/test19.out.ok new file mode 100644 index 0000000..a36b949 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test19.out.ok @@ -0,0 +1,11 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +User_Alias FULLTIMERS = millert, mikef, dowdy +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +Host_Alias SERVERS = master, mail, www, ns + +FULLTIMERS ALL = NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test19.sh b/plugins/sudoers/regress/cvtsudoers/test19.sh new file mode 100755 index 0000000..f434f2a --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test19.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Test filters and pruning; alias contents don't get pruned +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -p -m user=FULLTIMERS,host=SERVERS $TESTDIR/sudoers diff --git a/plugins/sudoers/regress/cvtsudoers/test2.out.ok b/plugins/sudoers/regress/cvtsudoers/test2.out.ok new file mode 100644 index 0000000..d99e0e5 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test2.out.ok @@ -0,0 +1,10 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:millert, mikef, dowdy !lecture +Defaults:millert !authenticate +Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec + +millert, mikef, dowdy ALL = NOPASSWD: ALL + +ALL orion, perseus, hercules = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o\ + nosuid\,nodev /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/test2.sh b/plugins/sudoers/regress/cvtsudoers/test2.sh new file mode 100755 index 0000000..e7f19f6 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test2.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test user and host filters, expanding aliases +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -e -m user=millert,host=hercules $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test20.conf b/plugins/sudoers/regress/cvtsudoers/test20.conf new file mode 100644 index 0000000..b60725c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.conf @@ -0,0 +1,6 @@ +defaults = global +expand_aliases = yes +input_format = sudoers +match = user=user2 +output_format = sudoers +prune_matches = yes diff --git a/plugins/sudoers/regress/cvtsudoers/test20.out.ok b/plugins/sudoers/regress/cvtsudoers/test20.out.ok new file mode 100644 index 0000000..79b420b --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.out.ok @@ -0,0 +1 @@ +user2 ALL = /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test20.sh b/plugins/sudoers/regress/cvtsudoers/test20.sh new file mode 100755 index 0000000..e7214e2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# +# Test cvtsudoers.conf +# + +exec 2>&1 +./cvtsudoers -c $TESTDIR/test20.conf <<EOF +Defaults:SOMEUSERS authenticate, timestamp_timeout=0 +User_Alias SOMEUSERS = user1, user2, user3 + +SOMEUSERS ALL = /usr/bin/id +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test21.conf b/plugins/sudoers/regress/cvtsudoers/test21.conf new file mode 100644 index 0000000..01fd3a3 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.conf @@ -0,0 +1,8 @@ +defaults = all +expand_aliases = no +input_format = sudoers +order_increment = 10 +order_start = 1000 +output_format = ldif +sudoers_base = ou=SUDOers,dc=my-domain,dc=com +suppress = defaults diff --git a/plugins/sudoers/regress/cvtsudoers/test21.out.ok b/plugins/sudoers/regress/cvtsudoers/test21.out.ok new file mode 100644 index 0000000..78285f1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.out.ok @@ -0,0 +1,24 @@ +dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ALL +sudoUser: ALL +sudoHost: ALL +sudoRunAsUser: +sudoOption: !authenticate +sudoCommand: /usr/bin/id +sudoOrder: 1000 + +dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: FULLTIMERS +sudoUser: user1 +sudoUser: user2 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 1010 + diff --git a/plugins/sudoers/regress/cvtsudoers/test21.sh b/plugins/sudoers/regress/cvtsudoers/test21.sh new file mode 100755 index 0000000..66c18b6 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# +# Test cvtsudoers.conf +# + +exec 2>&1 +./cvtsudoers -c $TESTDIR/test21.conf <<EOF +Defaults authenticate, timestamp_timeout=0 +User_Alias FULLTIMERS = user1, user2, user3 + +ALL ALL = (:) NOPASSWD:/usr/bin/id +FULLTIMERS ALL = (ALL:ALL) ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test22.out.ok b/plugins/sudoers/regress/cvtsudoers/test22.out.ok new file mode 100644 index 0000000..d404815 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test22.out.ok @@ -0,0 +1,31 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 10 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: +sudo-hosts +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 20 + diff --git a/plugins/sudoers/regress/cvtsudoers/test22.sh b/plugins/sudoers/regress/cvtsudoers/test22.sh new file mode 100755 index 0000000..7c75716 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test22.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# +# Test LDAP base filtering. +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# millert, SUDOers, other-domain.com +dn: cn=millert,ou=SUDOers,dc=other-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test23.out.ok b/plugins/sudoers/regress/cvtsudoers/test23.out.ok new file mode 100644 index 0000000..7fc33c2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test23.out.ok @@ -0,0 +1,20 @@ +Defaults logfile=/var/log/sudo + +root ALL = (ALL) ALL + +%wheel ALL = (ALL) ALL + ++admins ALL = NOPASSWD: ALL + +jack 128.138.204.0/24, 128.138.242.0, 128.138.243.0 = ALL + +lisa 128.138.0.0/255.255.0.0 = ALL + +operator ALL = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,\ + /usr/sbin/rrestore, /usr/bin/mt,\ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ==\ + /home/operator/bin/start_backups, /usr/bin/kill, /usr/bin/top,\ + /usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/lpc,\ + /usr/bin/lprm, sudoedit /etc/printcap, /usr/oper/bin/ + +joe ALL = /usr/bin/su operator diff --git a/plugins/sudoers/regress/cvtsudoers/test23.sh b/plugins/sudoers/regress/cvtsudoers/test23.sh new file mode 100755 index 0000000..d5f0439 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test23.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test round-tripping of sudoers -> LDIF -> sudoers +# + +exec 2>&1 +./cvtsudoers -c "" -b "ou=SUDOers,dc=sudo,dc=ws" $TESTDIR/test23.out.ok | \ + ./cvtsudoers -c "" -i LDIF -f sudoers | grep -v '^#' diff --git a/plugins/sudoers/regress/cvtsudoers/test24.out.ok b/plugins/sudoers/regress/cvtsudoers/test24.out.ok new file mode 100644 index 0000000..0951767 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test24.out.ok @@ -0,0 +1,89 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: logfile=/var/log/sudo + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 1 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 2 + +dn: cn=\+admins,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: \+admins +sudoUser: +admins +sudoHost: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 3 + +dn: cn=jack,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: jack +sudoUser: jack +sudoHost: 128.138.204.0/24 +sudoHost: 128.138.242.0 +sudoHost: 128.138.243.0 +sudoCommand: ALL +sudoOrder: 4 + +dn: cn=lisa,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: lisa +sudoUser: lisa +sudoHost: 128.138.0.0/255.255.0.0 +sudoCommand: ALL +sudoOrder: 5 + +dn: cn=operator,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: operator +sudoUser: operator +sudoHost: ALL +sudoCommand: /usr/sbin/dump +sudoCommand: /usr/sbin/rdump +sudoCommand: /usr/sbin/restore +sudoCommand: /usr/sbin/rrestore +sudoCommand: /usr/bin/mt +sudoCommand: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups +sudoCommand: /usr/bin/kill +sudoCommand: /usr/bin/top +sudoCommand: /usr/sbin/shutdown +sudoCommand: /usr/sbin/halt +sudoCommand: /usr/sbin/reboot +sudoCommand: /usr/sbin/lpc +sudoCommand: /usr/bin/lprm +sudoCommand: sudoedit /etc/printcap +sudoCommand: /usr/oper/bin/ +sudoOrder: 6 + +dn: cn=joe,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: joe +sudoUser: joe +sudoHost: ALL +sudoCommand: /usr/bin/su operator +sudoOrder: 7 + diff --git a/plugins/sudoers/regress/cvtsudoers/test24.sh b/plugins/sudoers/regress/cvtsudoers/test24.sh new file mode 100755 index 0000000..632502e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test24.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test round-tripping of LDIF -> sudoers -> LDIF +# + +exec 2>&1 +./cvtsudoers -c "" -i LDIF -f sudoers $TESTDIR/test24.out.ok | \ + ./cvtsudoers -c "" -b "ou=SUDOers,dc=sudo,dc=ws" diff --git a/plugins/sudoers/regress/cvtsudoers/test25.out.ok b/plugins/sudoers/regress/cvtsudoers/test25.out.ok new file mode 100644 index 0000000..d404815 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test25.out.ok @@ -0,0 +1,31 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 10 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: +sudo-hosts +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 20 + diff --git a/plugins/sudoers/regress/cvtsudoers/test25.sh b/plugins/sudoers/regress/cvtsudoers/test25.sh new file mode 100755 index 0000000..4cb8b45 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test25.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Test LDIF base64 attribute parsing +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +# defaults, SUDOers, sudo.ws +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: bG9nX291dHB1dA== + +# root, SUDOers, sudo.ws +dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9d3M= +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw== +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# millert, SUDOers, other-domain.com +dn:: Y249bWlsbGVydCxvdT1TVURPZXJzLGRjPW90aGVyLWRvbWFpbixkYz1jb20= +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test26.out.ok b/plugins/sudoers/regress/cvtsudoers/test26.out.ok new file mode 100644 index 0000000..769f392 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test26.out.ok @@ -0,0 +1,3 @@ +cvtsudoers: ignoring invalid attribute value: bG9nX29@1dHB1dA== +cvtsudoers: ignoring invalid attribute value: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M= +cvtsudoers: ignoring invalid attribute value: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!== diff --git a/plugins/sudoers/regress/cvtsudoers/test26.sh b/plugins/sudoers/regress/cvtsudoers/test26.sh new file mode 100755 index 0000000..b9eecaa --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test26.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Test LDIF invalid base64 attribute parsing +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +# defaults, SUDOers, sudo.ws +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: bG9nX29@1dHB1dA== + +# root, SUDOers, sudo.ws +dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M= +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!== +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test27.out.ok b/plugins/sudoers/regress/cvtsudoers/test27.out.ok new file mode 100644 index 0000000..ab9c948 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test27.out.ok @@ -0,0 +1,16 @@ +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M= +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh + +dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw== +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 1 + diff --git a/plugins/sudoers/regress/cvtsudoers/test27.sh b/plugins/sudoers/regress/cvtsudoers/test27.sh new file mode 100755 index 0000000..afc29a8 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test27.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Test base64 encoding of non-safe strings +# + +exec 2>&1 +./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF +Defaults badpass_message="Bad password¡" + +root ALL = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test28.out.ok b/plugins/sudoers/regress/cvtsudoers/test28.out.ok new file mode 100644 index 0000000..ba19cb9 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test28.out.ok @@ -0,0 +1,10 @@ +Defaults log_output + +# sudoRole millert +millert ALL = (ALL : ALL) ALL + +# sudoRole root +root ALL = (ALL : ALL) NOPASSWD: ALL + +# sudoRole %wheel +%wheel +sudo-hosts = (ALL : ALL) NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test28.sh b/plugins/sudoers/regress/cvtsudoers/test28.sh new file mode 100755 index 0000000..73c4a50 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test28.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Test LDAP sudoOrder when converting to sudoers. +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 20 + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test29.out.ok b/plugins/sudoers/regress/cvtsudoers/test29.out.ok new file mode 100644 index 0000000..c168898 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test29.out.ok @@ -0,0 +1,4 @@ +Defaults log_output + +# sudoRole millert, millert2 +millert ALL = (ALL : ALL) ALL, NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test29.sh b/plugins/sudoers/regress/cvtsudoers/test29.sh new file mode 100755 index 0000000..6f0148c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test29.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Test LDAP sudoOrder when converting to sudoers. +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 5 + +# millert2, SUDOers, sudo.ws +dn: cn=millert2,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert2 +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test3.out.ok b/plugins/sudoers/regress/cvtsudoers/test3.out.ok new file mode 100644 index 0000000..8a37975 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test3.out.ok @@ -0,0 +1,7 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults!PAGERS noexec + +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +%wheel ALL = (ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test3.sh b/plugins/sudoers/regress/cvtsudoers/test3.sh new file mode 100755 index 0000000..472d252 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test3.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test group and host filters +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -m group=wheel,host=blackhole $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test30.out.ok b/plugins/sudoers/regress/cvtsudoers/test30.out.ok new file mode 100644 index 0000000..009a54e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test30.out.ok @@ -0,0 +1,26 @@ +{ + "User_Specs": [ + { + "User_List": [ + { "username": "user1" }, + { "username": "user2" }, + { "username": "user3" } + ], + "Host_List": [ + { "hostname": "ALL" } + ], + "Cmnd_Specs": [ + { + "Commands": [ + { "command": "/path/to/cmda" }, + { + "command": "/path/to/cmdb", + "negated": true + }, + { "command": "/path/to/cmdc" } + ] + } + ] + } + ] +} diff --git a/plugins/sudoers/regress/cvtsudoers/test30.sh b/plugins/sudoers/regress/cvtsudoers/test30.sh new file mode 100755 index 0000000..80b08a5 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test30.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# Test alias expasion when converting to JSON. +# See https://bugzilla.sudo.ws/show_bug.cgi?id=853 +# + +exec 2>&1 +./cvtsudoers -c "" -e -f json <<EOF +Cmnd_Alias CMDA=/path/to/cmda +Cmnd_Alias CMDB=/path/to/cmdb +Cmnd_Alias CMDC=/path/to/cmdc +User_Alias USERS=user1,user2,user3 +USERS ALL=CMDA,!CMDB,CMDC +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test31.conf b/plugins/sudoers/regress/cvtsudoers/test31.conf new file mode 100644 index 0000000..345dbfc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.conf @@ -0,0 +1,9 @@ +defaults = all +expand_aliases = no +input_format = sudoers +order_increment = 5 +order_padding = 2 +order_start = 1000 +output_format = ldif +sudoers_base = ou=SUDOers,dc=my-domain,dc=com +suppress = defaults diff --git a/plugins/sudoers/regress/cvtsudoers/test31.out.ok b/plugins/sudoers/regress/cvtsudoers/test31.out.ok new file mode 100644 index 0000000..41ffd1b --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.out.ok @@ -0,0 +1,24 @@ +dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ALL +sudoUser: ALL +sudoHost: ALL +sudoRunAsUser: +sudoOption: !authenticate +sudoCommand: /usr/bin/id +sudoOrder: 100000 + +dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: FULLTIMERS +sudoUser: user1 +sudoUser: user2 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 100005 + diff --git a/plugins/sudoers/regress/cvtsudoers/test31.sh b/plugins/sudoers/regress/cvtsudoers/test31.sh new file mode 100644 index 0000000..ad6537c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# +# Test cvtsudoers.conf with padding +# + +exec 2>&1 +./cvtsudoers -c $TESTDIR/test31.conf <<EOF +Defaults authenticate, timestamp_timeout=0 +User_Alias FULLTIMERS = user1, user2, user3 + +ALL ALL = (:) NOPASSWD:/usr/bin/id +FULLTIMERS ALL = (ALL:ALL) ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test32.out.ok b/plugins/sudoers/regress/cvtsudoers/test32.out.ok new file mode 100644 index 0000000..436b877 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test32.out.ok @@ -0,0 +1,120 @@ +cvtsudoers: too many sudoers entries, maximum 10 +dn: cn=user0,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user0 +sudoUser: user0 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10000 + +dn: cn=user1,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user1 +sudoUser: user1 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10001 + +dn: cn=user2,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user2 +sudoUser: user2 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10002 + +dn: cn=user3,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user3 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10003 + +dn: cn=user4,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user4 +sudoUser: user4 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10004 + +dn: cn=user5,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user5 +sudoUser: user5 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10005 + +dn: cn=user6,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user6 +sudoUser: user6 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10006 + +dn: cn=user7,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user7 +sudoUser: user7 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10007 + +dn: cn=user8,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user8 +sudoUser: user8 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10008 + +dn: cn=user9,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user9 +sudoUser: user9 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10009 + +dn: cn=user10,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user10 +sudoUser: user10 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test32.sh b/plugins/sudoers/regress/cvtsudoers/test32.sh new file mode 100644 index 0000000..fe9c065 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test32.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Test cvtsudoers.conf with invalid padding +# + +exec 2>&1 +./cvtsudoers -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <<EOF +user0 ALL = (ALL:ALL) ALL +user1 ALL = (ALL:ALL) ALL +user2 ALL = (ALL:ALL) ALL +user3 ALL = (ALL:ALL) ALL +user4 ALL = (ALL:ALL) ALL +user5 ALL = (ALL:ALL) ALL +user6 ALL = (ALL:ALL) ALL +user7 ALL = (ALL:ALL) ALL +user8 ALL = (ALL:ALL) ALL +user9 ALL = (ALL:ALL) ALL +user10 ALL = (ALL:ALL) ALL +EOF + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test33.out.ok b/plugins/sudoers/regress/cvtsudoers/test33.out.ok new file mode 100644 index 0000000..6584701 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.out.ok @@ -0,0 +1,7 @@ +Defaults log_output + +# sudoRole root +root ALL = (ALL : ALL) NOPASSWD: ALL + +# sudoRole millert +millert ALL = (ALL, !bin, !root : ALL, !wheel) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test33.sh b/plugins/sudoers/regress/cvtsudoers/test33.sh new file mode 100755 index 0000000..db8d8d1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Test LDAP negated sudoRunAsUser and sudoRunAsGroup converted to sudoers. +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: !bin +sudoRunAsUser: !root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoRunAsGroup: !wheel +sudoHost: ALL +sudoCommand: ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test4.out.ok b/plugins/sudoers/regress/cvtsudoers/test4.out.ok new file mode 100644 index 0000000..f8e7d2e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test4.out.ok @@ -0,0 +1,5 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec + +%wheel ALL = (ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test4.sh b/plugins/sudoers/regress/cvtsudoers/test4.sh new file mode 100755 index 0000000..17c2a25 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test4.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test group and host filters, expanding aliases +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -e -m group=wheel,host=blackhole $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test5.out.ok b/plugins/sudoers/regress/cvtsudoers/test5.out.ok new file mode 100644 index 0000000..d209fdf --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test5.out.ok @@ -0,0 +1,6 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec diff --git a/plugins/sudoers/regress/cvtsudoers/test5.sh b/plugins/sudoers/regress/cvtsudoers/test5.sh new file mode 100755 index 0000000..1c41772 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test5.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test defaults type filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d all $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test6.out.ok b/plugins/sudoers/regress/cvtsudoers/test6.out.ok new file mode 100644 index 0000000..5e65e61 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test6.out.ok @@ -0,0 +1 @@ +Defaults syslog=auth diff --git a/plugins/sudoers/regress/cvtsudoers/test6.sh b/plugins/sudoers/regress/cvtsudoers/test6.sh new file mode 100755 index 0000000..289fad9 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test6.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test global defaults filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d global $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test7.out.ok b/plugins/sudoers/regress/cvtsudoers/test7.out.ok new file mode 100644 index 0000000..381de43 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test7.out.ok @@ -0,0 +1,2 @@ +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate diff --git a/plugins/sudoers/regress/cvtsudoers/test7.sh b/plugins/sudoers/regress/cvtsudoers/test7.sh new file mode 100755 index 0000000..63af529 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test7.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test user defaults filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d user $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test8.out.ok b/plugins/sudoers/regress/cvtsudoers/test8.out.ok new file mode 100644 index 0000000..7079ee0 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test8.out.ok @@ -0,0 +1 @@ +Defaults>root !set_logname diff --git a/plugins/sudoers/regress/cvtsudoers/test8.sh b/plugins/sudoers/regress/cvtsudoers/test8.sh new file mode 100755 index 0000000..785e0b5 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test8.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test runas defaults filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d runas $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test9.out.ok b/plugins/sudoers/regress/cvtsudoers/test9.out.ok new file mode 100644 index 0000000..d2a39c4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test9.out.ok @@ -0,0 +1 @@ +Defaults@SERVERS log_year, logfile=/var/log/sudo.log diff --git a/plugins/sudoers/regress/cvtsudoers/test9.sh b/plugins/sudoers/regress/cvtsudoers/test9.sh new file mode 100755 index 0000000..de64a48 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test9.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test host defaults filtering +# + +exec 2>&1 +./cvtsudoers -c "" -f sudoers -s aliases,privileges -d host $TESTDIR/sudoers + +exit 0 |