diff options
Diffstat (limited to 'plugins/sudoers/regress/cvtsudoers')
91 files changed, 1896 insertions, 0 deletions
diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers b/plugins/sudoers/regress/cvtsudoers/sudoers new file mode 100644 index 0000000..8a926f8 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers @@ -0,0 +1,126 @@ +# +# Sample /etc/sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. + +## +# Override built-in defaults +## +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +## +# User alias specification +## +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBADMIN = will, wendy, wim + +## +# Runas alias specification +## +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase + +## +# Host alias specification +## +Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ + SGI = grolsch, dandelion, black:\ + ALPHA = widget, thalamus, foobar:\ + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = primary, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +## +# Cmnd alias specification +## +Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt, \ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups +Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +## +# User specification +## + +# root and users in group wheel can run anything on any machine as any user +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL + +# full time sysadmins can run anything on any machine without a password +FULLTIMERS ALL = NOPASSWD: ALL + +# part time sysadmins may run anything but need a password +PARTTIMERS ALL = ALL + +# jack may run anything on machines in CSNETS +jack CSNETS = ALL + +# lisa may run any command on any host in CUNETS (a class B network) +lisa CUNETS = ALL + +# operator may run maintenance commands and anything in /usr/oper/bin/ +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + +# joe may su only to operator +joe ALL = /usr/bin/su operator + +# pete may change passwords for anyone but root on the hp snakes +pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* + +# bob may run anything on the sparc and sgi machines as any user +# listed in the Runas_Alias "OP" (ie: root and operator) +bob SPARC = (OP) ALL : SGI = (OP) ALL + +# fred can run commands as oracle or sybase without a password +fred ALL = (DB) NOPASSWD: ALL + +# on the alphas, john may su to anyone but root and flags are not allowed +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + +# jen can run anything on all machines except the ones +# in the "SERVERS" Host_Alias +jen ALL, !SERVERS = ALL + +# jill can run any commands in the directory /usr/bin/, except for +# those in the SU and SHELLS aliases. +jill SERVERS = /usr/bin/, !SU, !SHELLS + +# steve can run any command in the directory /usr/local/op_commands/ +# as user operator. +steve CSNETS = (operator) /usr/local/op_commands/ + +# matt needs to be able to kill things on his workstation when +# they get hung. +matt valkyrie = KILL + +# users in the WEBADMIN User_Alias (will, wendy, and wim) +# may run any command as user www (which owns the web pages) +# or simply su to www. +WEBADMIN www = (www) ALL, (root) /usr/bin/su www + +# anyone can mount/unmount a cd-rom on the machines in the CDROM alias +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers.defs b/plugins/sudoers/regress/cvtsudoers/sudoers.defs new file mode 100755 index 0000000..b374930 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers.defs @@ -0,0 +1,19 @@ +Defaults syslog=auth +Defaults>ROOT !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl + +Host_Alias SERVERS = primary, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +Runas_Alias ROOT = root, toor +Runas_Alias OPERATOR = operator, backup diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers1 b/plugins/sudoers/regress/cvtsudoers/sudoers1 new file mode 100644 index 0000000..d7a05ca --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers1 @@ -0,0 +1,97 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +#@includedir /etc/sudoers.d diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers2 b/plugins/sudoers/regress/cvtsudoers/sudoers2 new file mode 100644 index 0000000..442d5e6 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers2 @@ -0,0 +1,97 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +Host_Alias WEBSERVERS = www1, www2, www3, www4 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +#@includedir /etc/sudoers.d diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers3 b/plugins/sudoers/regress/cvtsudoers/sudoers3 new file mode 100644 index 0000000..ee2769e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers3 @@ -0,0 +1,97 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +#@includedir /etc/sudoers.d diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers4 b/plugins/sudoers/regress/cvtsudoers/sudoers4 new file mode 100644 index 0000000..c85b0dc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/sudoers4 @@ -0,0 +1,97 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +Defaults secure_path="/opt/sudo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +#@includedir /etc/sudoers.d diff --git a/plugins/sudoers/regress/cvtsudoers/test1.out.ok b/plugins/sudoers/regress/cvtsudoers/test1.out.ok new file mode 100644 index 0000000..da3f555 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test1.out.ok @@ -0,0 +1,14 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults!PAGERS noexec + +Host_Alias CDROM = orion, perseus, hercules +User_Alias FULLTIMERS = millert, mikef, dowdy +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +FULLTIMERS ALL = NOPASSWD: ALL + +ALL CDROM = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o nosuid\,nodev\ + /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/test1.sh b/plugins/sudoers/regress/cvtsudoers/test1.sh new file mode 100755 index 0000000..ba5f87f --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test1.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test user and host filters +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -m user=millert,host=hercules $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test10.out.ok b/plugins/sudoers/regress/cvtsudoers/test10.out.ok new file mode 100644 index 0000000..26a05d2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test10.out.ok @@ -0,0 +1 @@ +Defaults!PAGERS noexec diff --git a/plugins/sudoers/regress/cvtsudoers/test10.sh b/plugins/sudoers/regress/cvtsudoers/test10.sh new file mode 100755 index 0000000..38550a9 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test10.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test command defaults filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d command $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test11.out.ok b/plugins/sudoers/regress/cvtsudoers/test11.out.ok new file mode 100644 index 0000000..5c4c4e8 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test11.out.ok @@ -0,0 +1,7 @@ +Defaults!PAGERS noexec + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +User_Alias PARTTIMERS = bostley, jwfox, crawl +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test11.sh b/plugins/sudoers/regress/cvtsudoers/test11.sh new file mode 100755 index 0000000..f8d37ef --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test11.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -d command $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test12.out.ok b/plugins/sudoers/regress/cvtsudoers/test12.out.ok new file mode 100644 index 0000000..7f2b15e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test12.out.ok @@ -0,0 +1,8 @@ +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate + +Host_Alias CDROM = orion, perseus, hercules +User_Alias FULLTIMERS = millert, mikef, dowdy +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test12.sh b/plugins/sudoers/regress/cvtsudoers/test12.sh new file mode 100755 index 0000000..dd2cab0 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test12.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -d user $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test13.out.ok b/plugins/sudoers/regress/cvtsudoers/test13.out.ok new file mode 100644 index 0000000..5276327 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test13.out.ok @@ -0,0 +1,7 @@ +Defaults@SERVERS log_year, logfile=/var/log/sudo.log + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Host_Alias SERVERS = primary, mail, www, ns +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test13.sh b/plugins/sudoers/regress/cvtsudoers/test13.sh new file mode 100755 index 0000000..8ee6000 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test13.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -d host $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test14.out.ok b/plugins/sudoers/regress/cvtsudoers/test14.out.ok new file mode 100644 index 0000000..3f7710a --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test14.out.ok @@ -0,0 +1,7 @@ +Defaults>ROOT !set_logname + +Host_Alias CDROM = orion, perseus, hercules +Runas_Alias OPERATOR = operator, backup +User_Alias PARTTIMERS = bostley, jwfox, crawl +Runas_Alias ROOT = root, toor +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn diff --git a/plugins/sudoers/regress/cvtsudoers/test14.sh b/plugins/sudoers/regress/cvtsudoers/test14.sh new file mode 100755 index 0000000..4486faa --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test14.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test that Aliases are removed when filtering by defaults type +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -d runas $TESTDIR/sudoers.defs diff --git a/plugins/sudoers/regress/cvtsudoers/test15.out.ok b/plugins/sudoers/regress/cvtsudoers/test15.out.ok new file mode 100644 index 0000000..5177139 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test15.out.ok @@ -0,0 +1 @@ +user1 host1, host2, host3 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test15.sh b/plugins/sudoers/regress/cvtsudoers/test15.sh new file mode 100755 index 0000000..6d65c78 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test15.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test filters and pruning +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -p -m user=user1 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test16.out.ok b/plugins/sudoers/regress/cvtsudoers/test16.out.ok new file mode 100644 index 0000000..38359b1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test16.out.ok @@ -0,0 +1 @@ +user2 host2 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test16.sh b/plugins/sudoers/regress/cvtsudoers/test16.sh new file mode 100755 index 0000000..4a1632c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test16.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test filters and pruning +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -p -m user=user2,host=host2 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test17.out.ok b/plugins/sudoers/regress/cvtsudoers/test17.out.ok new file mode 100644 index 0000000..d35dd06 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test17.out.ok @@ -0,0 +1 @@ +%group1 host1 = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test17.sh b/plugins/sudoers/regress/cvtsudoers/test17.sh new file mode 100755 index 0000000..e8e8082 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test17.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test filters and pruning +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -p -m group=group1,host=host1 <<EOF +user1, user2, user3, %group1 host1, host2, host3 = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test18.out.ok b/plugins/sudoers/regress/cvtsudoers/test18.out.ok new file mode 100644 index 0000000..3055452 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test18.out.ok @@ -0,0 +1 @@ +%group1 ALL = ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test18.sh b/plugins/sudoers/regress/cvtsudoers/test18.sh new file mode 100755 index 0000000..cceed89 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test18.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test filters and pruning +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -p -m group=group1,host=somehost <<EOF +user1, user2, user3, %group1 ALL = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test19.out.ok b/plugins/sudoers/regress/cvtsudoers/test19.out.ok new file mode 100644 index 0000000..66b95ac --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test19.out.ok @@ -0,0 +1,11 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + +User_Alias FULLTIMERS = millert, mikef, dowdy +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +Host_Alias SERVERS = primary, mail, www, ns + +FULLTIMERS ALL = NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test19.sh b/plugins/sudoers/regress/cvtsudoers/test19.sh new file mode 100755 index 0000000..b3c1bf7 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test19.sh @@ -0,0 +1,8 @@ +#!/bin/sh +# +# Test filters and pruning; alias contents don't get pruned +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -p -m user=FULLTIMERS,host=SERVERS $TESTDIR/sudoers diff --git a/plugins/sudoers/regress/cvtsudoers/test2.out.ok b/plugins/sudoers/regress/cvtsudoers/test2.out.ok new file mode 100644 index 0000000..d99e0e5 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test2.out.ok @@ -0,0 +1,10 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:millert, mikef, dowdy !lecture +Defaults:millert !authenticate +Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec + +millert, mikef, dowdy ALL = NOPASSWD: ALL + +ALL orion, perseus, hercules = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o\ + nosuid\,nodev /dev/cd0a /CDROM diff --git a/plugins/sudoers/regress/cvtsudoers/test2.sh b/plugins/sudoers/regress/cvtsudoers/test2.sh new file mode 100755 index 0000000..70e9553 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test2.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test user and host filters, expanding aliases +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -e -m user=millert,host=hercules $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test20.conf b/plugins/sudoers/regress/cvtsudoers/test20.conf new file mode 100644 index 0000000..b60725c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.conf @@ -0,0 +1,6 @@ +defaults = global +expand_aliases = yes +input_format = sudoers +match = user=user2 +output_format = sudoers +prune_matches = yes diff --git a/plugins/sudoers/regress/cvtsudoers/test20.out.ok b/plugins/sudoers/regress/cvtsudoers/test20.out.ok new file mode 100644 index 0000000..79b420b --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.out.ok @@ -0,0 +1 @@ +user2 ALL = /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test20.sh b/plugins/sudoers/regress/cvtsudoers/test20.sh new file mode 100755 index 0000000..e651e16 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test20.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# +# Test cvtsudoers.conf +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c $TESTDIR/test20.conf <<EOF +Defaults:SOMEUSERS authenticate, timestamp_timeout=0 +User_Alias SOMEUSERS = user1, user2, user3 + +SOMEUSERS ALL = /usr/bin/id +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test21.conf b/plugins/sudoers/regress/cvtsudoers/test21.conf new file mode 100644 index 0000000..01fd3a3 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.conf @@ -0,0 +1,8 @@ +defaults = all +expand_aliases = no +input_format = sudoers +order_increment = 10 +order_start = 1000 +output_format = ldif +sudoers_base = ou=SUDOers,dc=my-domain,dc=com +suppress = defaults diff --git a/plugins/sudoers/regress/cvtsudoers/test21.out.ok b/plugins/sudoers/regress/cvtsudoers/test21.out.ok new file mode 100644 index 0000000..78285f1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.out.ok @@ -0,0 +1,24 @@ +dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ALL +sudoUser: ALL +sudoHost: ALL +sudoRunAsUser: +sudoOption: !authenticate +sudoCommand: /usr/bin/id +sudoOrder: 1000 + +dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: FULLTIMERS +sudoUser: user1 +sudoUser: user2 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 1010 + diff --git a/plugins/sudoers/regress/cvtsudoers/test21.sh b/plugins/sudoers/regress/cvtsudoers/test21.sh new file mode 100755 index 0000000..836a353 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test21.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# Test cvtsudoers.conf +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c $TESTDIR/test21.conf <<EOF +Defaults authenticate, timestamp_timeout=0 +User_Alias FULLTIMERS = user1, user2, user3 + +ALL ALL = (:) NOPASSWD:/usr/bin/id +FULLTIMERS ALL = (ALL:ALL) ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test22.out.ok b/plugins/sudoers/regress/cvtsudoers/test22.out.ok new file mode 100644 index 0000000..d404815 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test22.out.ok @@ -0,0 +1,31 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 10 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: +sudo-hosts +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 20 + diff --git a/plugins/sudoers/regress/cvtsudoers/test22.sh b/plugins/sudoers/regress/cvtsudoers/test22.sh new file mode 100755 index 0000000..9b4899b --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test22.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Test LDAP base filtering. +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# millert, SUDOers, other-domain.com +dn: cn=millert,ou=SUDOers,dc=other-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test23.out.ok b/plugins/sudoers/regress/cvtsudoers/test23.out.ok new file mode 100644 index 0000000..7fc33c2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test23.out.ok @@ -0,0 +1,20 @@ +Defaults logfile=/var/log/sudo + +root ALL = (ALL) ALL + +%wheel ALL = (ALL) ALL + ++admins ALL = NOPASSWD: ALL + +jack 128.138.204.0/24, 128.138.242.0, 128.138.243.0 = ALL + +lisa 128.138.0.0/255.255.0.0 = ALL + +operator ALL = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,\ + /usr/sbin/rrestore, /usr/bin/mt,\ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ==\ + /home/operator/bin/start_backups, /usr/bin/kill, /usr/bin/top,\ + /usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/lpc,\ + /usr/bin/lprm, sudoedit /etc/printcap, /usr/oper/bin/ + +joe ALL = /usr/bin/su operator diff --git a/plugins/sudoers/regress/cvtsudoers/test23.sh b/plugins/sudoers/regress/cvtsudoers/test23.sh new file mode 100755 index 0000000..02b8238 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test23.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test round-tripping of sudoers -> LDIF -> sudoers +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -b "ou=SUDOers,dc=sudo,dc=ws" $TESTDIR/test23.out.ok | \ + $CVTSUDOERS -c "" -i LDIF -f sudoers | grep -v '^#' diff --git a/plugins/sudoers/regress/cvtsudoers/test24.out.ok b/plugins/sudoers/regress/cvtsudoers/test24.out.ok new file mode 100644 index 0000000..0951767 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test24.out.ok @@ -0,0 +1,89 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: logfile=/var/log/sudo + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 1 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoRunAsUser: ALL +sudoCommand: ALL +sudoOrder: 2 + +dn: cn=\+admins,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: \+admins +sudoUser: +admins +sudoHost: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 3 + +dn: cn=jack,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: jack +sudoUser: jack +sudoHost: 128.138.204.0/24 +sudoHost: 128.138.242.0 +sudoHost: 128.138.243.0 +sudoCommand: ALL +sudoOrder: 4 + +dn: cn=lisa,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: lisa +sudoUser: lisa +sudoHost: 128.138.0.0/255.255.0.0 +sudoCommand: ALL +sudoOrder: 5 + +dn: cn=operator,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: operator +sudoUser: operator +sudoHost: ALL +sudoCommand: /usr/sbin/dump +sudoCommand: /usr/sbin/rdump +sudoCommand: /usr/sbin/restore +sudoCommand: /usr/sbin/rrestore +sudoCommand: /usr/bin/mt +sudoCommand: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups +sudoCommand: /usr/bin/kill +sudoCommand: /usr/bin/top +sudoCommand: /usr/sbin/shutdown +sudoCommand: /usr/sbin/halt +sudoCommand: /usr/sbin/reboot +sudoCommand: /usr/sbin/lpc +sudoCommand: /usr/bin/lprm +sudoCommand: sudoedit /etc/printcap +sudoCommand: /usr/oper/bin/ +sudoOrder: 6 + +dn: cn=joe,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: joe +sudoUser: joe +sudoHost: ALL +sudoCommand: /usr/bin/su operator +sudoOrder: 7 + diff --git a/plugins/sudoers/regress/cvtsudoers/test24.sh b/plugins/sudoers/regress/cvtsudoers/test24.sh new file mode 100755 index 0000000..72d9983 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test24.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test round-tripping of LDIF -> sudoers -> LDIF +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i LDIF -f sudoers $TESTDIR/test24.out.ok | \ + $CVTSUDOERS -c "" -b "ou=SUDOers,dc=sudo,dc=ws" diff --git a/plugins/sudoers/regress/cvtsudoers/test25.out.ok b/plugins/sudoers/regress/cvtsudoers/test25.out.ok new file mode 100644 index 0000000..d404815 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test25.out.ok @@ -0,0 +1,31 @@ +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 10 + +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: +sudo-hosts +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoOption: !authenticate +sudoCommand: ALL +sudoOrder: 20 + diff --git a/plugins/sudoers/regress/cvtsudoers/test25.sh b/plugins/sudoers/regress/cvtsudoers/test25.sh new file mode 100755 index 0000000..bbb9b51 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test25.sh @@ -0,0 +1,53 @@ +#!/bin/sh +# +# Test LDIF base64 attribute parsing +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +# defaults, SUDOers, sudo.ws +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: bG9nX291dHB1dA== + +# root, SUDOers, sudo.ws +dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9d3M= +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw== +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# millert, SUDOers, other-domain.com +dn:: Y249bWlsbGVydCxvdT1TVURPZXJzLGRjPW90aGVyLWRvbWFpbixkYz1jb20= +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test26.err.ok b/plugins/sudoers/regress/cvtsudoers/test26.err.ok new file mode 100644 index 0000000..a9c5e6a --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test26.err.ok @@ -0,0 +1,3 @@ +cvtsudoers: invalid LDIF attribute: sudoOption:: bG9nX29@1dHB1dA== +cvtsudoers: invalid LDIF attribute: dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M= +cvtsudoers: invalid LDIF attribute: dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!== diff --git a/plugins/sudoers/regress/cvtsudoers/test26.out.ok b/plugins/sudoers/regress/cvtsudoers/test26.out.ok new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test26.out.ok diff --git a/plugins/sudoers/regress/cvtsudoers/test26.sh b/plugins/sudoers/regress/cvtsudoers/test26.sh new file mode 100755 index 0000000..08c0246 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test26.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Test LDIF invalid base64 attribute parsing +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF +# defaults, SUDOers, sudo.ws +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: bG9nX29@1dHB1dA== + +# root, SUDOers, sudo.ws +dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M= +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!== +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 +EOF + +# cvtsudoers should exit with an error +if [ $? -eq 0 ]; then + exit 1 +else + exit 0 +fi diff --git a/plugins/sudoers/regress/cvtsudoers/test27.out.ok b/plugins/sudoers/regress/cvtsudoers/test27.out.ok new file mode 100644 index 0000000..ab9c948 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test27.out.ok @@ -0,0 +1,16 @@ +dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M= +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh + +dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw== +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 1 + diff --git a/plugins/sudoers/regress/cvtsudoers/test27.sh b/plugins/sudoers/regress/cvtsudoers/test27.sh new file mode 100755 index 0000000..c1a2df3 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test27.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# +# Test base64 encoding of non-safe strings +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF +Defaults badpass_message="Bad password¡" + +root ALL = ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test28.out.ok b/plugins/sudoers/regress/cvtsudoers/test28.out.ok new file mode 100644 index 0000000..ba19cb9 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test28.out.ok @@ -0,0 +1,10 @@ +Defaults log_output + +# sudoRole millert +millert ALL = (ALL : ALL) ALL + +# sudoRole root +root ALL = (ALL : ALL) NOPASSWD: ALL + +# sudoRole %wheel +%wheel +sudo-hosts = (ALL : ALL) NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test28.sh b/plugins/sudoers/regress/cvtsudoers/test28.sh new file mode 100755 index 0000000..e902355 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test28.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# +# Test LDAP sudoOrder when converting to sudoers. +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 + +# %wheel, SUDOers, sudo.ws +dn: cn=%wheel,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: +sudo-hosts +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 20 + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 5 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test29.out.ok b/plugins/sudoers/regress/cvtsudoers/test29.out.ok new file mode 100644 index 0000000..c168898 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test29.out.ok @@ -0,0 +1,4 @@ +Defaults log_output + +# sudoRole millert, millert2 +millert ALL = (ALL : ALL) ALL, NOPASSWD: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test29.sh b/plugins/sudoers/regress/cvtsudoers/test29.sh new file mode 100755 index 0000000..2cb50f3 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test29.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Test LDAP sudoOrder when converting to sudoers. +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOrder: 5 + +# millert2, SUDOers, sudo.ws +dn: cn=millert2,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert2 +sudoUser: millert +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate +sudoOrder: 10 +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test3.out.ok b/plugins/sudoers/regress/cvtsudoers/test3.out.ok new file mode 100644 index 0000000..8a37975 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test3.out.ok @@ -0,0 +1,7 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults!PAGERS noexec + +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + +%wheel ALL = (ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test3.sh b/plugins/sudoers/regress/cvtsudoers/test3.sh new file mode 100755 index 0000000..8e42cbc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test3.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test group and host filters +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -m group=wheel,host=blackhole $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test30.out.ok b/plugins/sudoers/regress/cvtsudoers/test30.out.ok new file mode 100644 index 0000000..009a54e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test30.out.ok @@ -0,0 +1,26 @@ +{ + "User_Specs": [ + { + "User_List": [ + { "username": "user1" }, + { "username": "user2" }, + { "username": "user3" } + ], + "Host_List": [ + { "hostname": "ALL" } + ], + "Cmnd_Specs": [ + { + "Commands": [ + { "command": "/path/to/cmda" }, + { + "command": "/path/to/cmdb", + "negated": true + }, + { "command": "/path/to/cmdc" } + ] + } + ] + } + ] +} diff --git a/plugins/sudoers/regress/cvtsudoers/test30.sh b/plugins/sudoers/regress/cvtsudoers/test30.sh new file mode 100755 index 0000000..c5f7615 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test30.sh @@ -0,0 +1,15 @@ +#!/bin/sh +# +# Test alias expansion when converting to JSON. +# See https://bugzilla.sudo.ws/show_bug.cgi?id=853 +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -e -f json <<EOF +Cmnd_Alias CMDA=/path/to/cmda +Cmnd_Alias CMDB=/path/to/cmdb +Cmnd_Alias CMDC=/path/to/cmdc +User_Alias USERS=user1,user2,user3 +USERS ALL=CMDA,!CMDB,CMDC +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test31.conf b/plugins/sudoers/regress/cvtsudoers/test31.conf new file mode 100644 index 0000000..345dbfc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.conf @@ -0,0 +1,9 @@ +defaults = all +expand_aliases = no +input_format = sudoers +order_increment = 5 +order_padding = 2 +order_start = 1000 +output_format = ldif +sudoers_base = ou=SUDOers,dc=my-domain,dc=com +suppress = defaults diff --git a/plugins/sudoers/regress/cvtsudoers/test31.out.ok b/plugins/sudoers/regress/cvtsudoers/test31.out.ok new file mode 100644 index 0000000..41ffd1b --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.out.ok @@ -0,0 +1,24 @@ +dn: cn=ALL,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: ALL +sudoUser: ALL +sudoHost: ALL +sudoRunAsUser: +sudoOption: !authenticate +sudoCommand: /usr/bin/id +sudoOrder: 100000 + +dn: cn=FULLTIMERS,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: FULLTIMERS +sudoUser: user1 +sudoUser: user2 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 100005 + diff --git a/plugins/sudoers/regress/cvtsudoers/test31.sh b/plugins/sudoers/regress/cvtsudoers/test31.sh new file mode 100755 index 0000000..38dd93c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test31.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# Test cvtsudoers.conf with padding +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c $TESTDIR/test31.conf <<EOF +Defaults authenticate, timestamp_timeout=0 +User_Alias FULLTIMERS = user1, user2, user3 + +ALL ALL = (:) NOPASSWD:/usr/bin/id +FULLTIMERS ALL = (ALL:ALL) ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test32.err.ok b/plugins/sudoers/regress/cvtsudoers/test32.err.ok new file mode 100644 index 0000000..c001436 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test32.err.ok @@ -0,0 +1 @@ +cvtsudoers: too many sudoers entries, maximum 10 diff --git a/plugins/sudoers/regress/cvtsudoers/test32.out.ok b/plugins/sudoers/regress/cvtsudoers/test32.out.ok new file mode 100644 index 0000000..9900199 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test32.out.ok @@ -0,0 +1,119 @@ +dn: cn=user0,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user0 +sudoUser: user0 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10000 + +dn: cn=user1,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user1 +sudoUser: user1 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10001 + +dn: cn=user2,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user2 +sudoUser: user2 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10002 + +dn: cn=user3,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user3 +sudoUser: user3 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10003 + +dn: cn=user4,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user4 +sudoUser: user4 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10004 + +dn: cn=user5,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user5 +sudoUser: user5 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10005 + +dn: cn=user6,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user6 +sudoUser: user6 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10006 + +dn: cn=user7,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user7 +sudoUser: user7 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10007 + +dn: cn=user8,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user8 +sudoUser: user8 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10008 + +dn: cn=user9,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user9 +sudoUser: user9 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 10009 + +dn: cn=user10,ou=SUDOers,dc=my-domain,dc=com +objectClass: top +objectClass: sudoRole +cn: user10 +sudoUser: user10 +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test32.sh b/plugins/sudoers/regress/cvtsudoers/test32.sh new file mode 100755 index 0000000..2119da1 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test32.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Test cvtsudoers.conf with invalid padding +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -b "ou=SUDOers,dc=my-domain,dc=com" -O 1000 -P 1 <<EOF +user0 ALL = (ALL:ALL) ALL +user1 ALL = (ALL:ALL) ALL +user2 ALL = (ALL:ALL) ALL +user3 ALL = (ALL:ALL) ALL +user4 ALL = (ALL:ALL) ALL +user5 ALL = (ALL:ALL) ALL +user6 ALL = (ALL:ALL) ALL +user7 ALL = (ALL:ALL) ALL +user8 ALL = (ALL:ALL) ALL +user9 ALL = (ALL:ALL) ALL +user10 ALL = (ALL:ALL) ALL +EOF + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test33.out.ok b/plugins/sudoers/regress/cvtsudoers/test33.out.ok new file mode 100644 index 0000000..6584701 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.out.ok @@ -0,0 +1,7 @@ +Defaults log_output + +# sudoRole root +root ALL = (ALL : ALL) NOPASSWD: ALL + +# sudoRole millert +millert ALL = (ALL, !bin, !root : ALL, !wheel) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test33.sh b/plugins/sudoers/regress/cvtsudoers/test33.sh new file mode 100755 index 0000000..1fdd20d --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# +# Test LDAP negated sudoRunAsUser and sudoRunAsGroup converted to sudoers. +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -f sudoers <<EOF +dn: dc=sudo,dc=ws +objectClass: dcObject +objectClass: organization +dc: courtesan +o: Sudo World Headquarters +description: Sudo World Headquarters + +# Organizational Role for Directory Manager +dn: cn=Manager,dc=sudo,dc=ws +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +# SUDOers, sudo.ws +dn: ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: organizationalUnit +description: SUDO Configuration Subtree +ou: SUDOers + +# defaults, SUDOers, sudo.ws +dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: log_output + +# root, SUDOers, sudo.ws +dn: cn=root,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoHost: ALL +sudoCommand: ALL +sudoOption: !authenticate + +# millert, SUDOers, sudo.ws +dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: millert +sudoUser: millert +sudoRunAsUser: !bin +sudoRunAsUser: !root +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoRunAsGroup: !wheel +sudoHost: ALL +sudoCommand: ALL +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test34.out.ok b/plugins/sudoers/regress/cvtsudoers/test34.out.ok new file mode 100644 index 0000000..6a3655e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test34.out.ok @@ -0,0 +1,18 @@ +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output +Defaults\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS = www1, www2, www3 +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 +Host_Alias WEBSERVERS_2 = www1, www2, www3, www4 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test34.sh b/plugins/sudoers/regress/cvtsudoers/test34.sh new file mode 100755 index 0000000..d9f22e2 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test34.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test cvtsudoers merge +# * three files, two bound to a host, one global +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers1 ${TESTDIR}/sudoers2 xyzzy:${TESTDIR}/sudoers3 diff --git a/plugins/sudoers/regress/cvtsudoers/test35.out.ok b/plugins/sudoers/regress/cvtsudoers/test35.out.ok new file mode 100644 index 0000000..47ef832 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test35.out.ok @@ -0,0 +1,18 @@ +Defaults@xerxes, xyzzy log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output +Defaults\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS = www1, www2, www3 +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 +Host_Alias WEBSERVERS_2 = www1, www2, www3, www4 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test35.sh b/plugins/sudoers/regress/cvtsudoers/test35.sh new file mode 100755 index 0000000..5c2cc1d --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test35.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test cvtsudoers merge +# * three files, two bound to a host, one global +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers1 xyzzy:${TESTDIR}/sudoers2 ${TESTDIR}/sudoers3 diff --git a/plugins/sudoers/regress/cvtsudoers/test36.out.ok b/plugins/sudoers/regress/cvtsudoers/test36.out.ok new file mode 100644 index 0000000..5c87fbc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test36.out.ok @@ -0,0 +1,17 @@ +Defaults\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS = www1, www2, www3 +Host_Alias WEBSERVERS_1 = www1, www2, www3, www4 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test36.sh b/plugins/sudoers/regress/cvtsudoers/test36.sh new file mode 100755 index 0000000..be02415 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test36.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Test cvtsudoers merge +# * three files, each bound to a host +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers1 xyzzy:${TESTDIR}/sudoers2 plugh:${TESTDIR}/sudoers2 diff --git a/plugins/sudoers/regress/cvtsudoers/test37.out.ok b/plugins/sudoers/regress/cvtsudoers/test37.out.ok new file mode 100644 index 0000000..5c87fbc --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test37.out.ok @@ -0,0 +1,17 @@ +Defaults\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +Defaults!/usr/local/bin/sudoreplay !log_output +Defaults!REBOOT !log_output + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS = www1, www2, www3 +Host_Alias WEBSERVERS_1 = www1, www2, www3, www4 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test37.sh b/plugins/sudoers/regress/cvtsudoers/test37.sh new file mode 100755 index 0000000..0f38b90 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test37.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test cvtsudoers merge: +# * two files, each bound to a host +# * only difference is a conflicting WEBSERVERS definition +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers1 xyzzy:${TESTDIR}/sudoers2 diff --git a/plugins/sudoers/regress/cvtsudoers/test38.out.ok b/plugins/sudoers/regress/cvtsudoers/test38.out.ok new file mode 100644 index 0000000..26ac014 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test38.out.ok @@ -0,0 +1,14 @@ +Defaults@xerxes\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin +Defaults@xyzzy\ + secure_path=/opt/sudo/bin\:/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test38.sh b/plugins/sudoers/regress/cvtsudoers/test38.sh new file mode 100755 index 0000000..4273136 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test38.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test cvtsudoers merge: +# * two files, each bound to a host +# * only difference is a conflicting secure_path definition +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers3 xyzzy:${TESTDIR}/sudoers4 diff --git a/plugins/sudoers/regress/cvtsudoers/test39.out.ok b/plugins/sudoers/regress/cvtsudoers/test39.out.ok new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test39.out.ok diff --git a/plugins/sudoers/regress/cvtsudoers/test39.sh b/plugins/sudoers/regress/cvtsudoers/test39.sh new file mode 100755 index 0000000..8ece026 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test39.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# +# Test handling of a backslash at EOF with no trailing newline. +# +# If compiled with address sanitizer, cvtsudoers will crash without the +# fix in ceaf706ab74b from https://github.com/sudo-project/sudo/pull/196. +# + +: ${CVTSUDOERS=cvtsudoers} + +printf 'dn: cn= Manager\\' | \ + $CVTSUDOERS -c "" -b "ou=SUDOers,dc=sudo,dc=ws" -i ldif -f sudoers diff --git a/plugins/sudoers/regress/cvtsudoers/test4.out.ok b/plugins/sudoers/regress/cvtsudoers/test4.out.ok new file mode 100644 index 0000000..f8e7d2e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test4.out.ok @@ -0,0 +1,5 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec + +%wheel ALL = (ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test4.sh b/plugins/sudoers/regress/cvtsudoers/test4.sh new file mode 100755 index 0000000..860eff4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test4.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test group and host filters, expanding aliases +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -e -m group=wheel,host=blackhole $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test40.out.ok b/plugins/sudoers/regress/cvtsudoers/test40.out.ok new file mode 100644 index 0000000..0fc19e4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test40.out.ok @@ -0,0 +1,10 @@ +dn: cn=user0,ou=SUDOers,dc=sudo,dc=ws +objectClass: top +objectClass: sudoRole +cn: user0 +sudoUser: user0 +sudoHost: A00 +sudoRunAsUser: 0 +sudoCommand: /bin/ls +sudoOrder: 1 + diff --git a/plugins/sudoers/regress/cvtsudoers/test40.sh b/plugins/sudoers/regress/cvtsudoers/test40.sh new file mode 100755 index 0000000..ff03c2c --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test40.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Test use-after-free in cvtsudoers when filtering by command. +# +# If compiled with address sanitizer, cvtsudoers will crash without the +# fix in 9da99e0e671e. +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -m cmd='/bin/ls' -p <<EOF +objectClass:sudoRole +sudoUser:user0 +sudoHost:A00 +sudoCommand:/bin/ls +sudoRunAs:0 + +objectClass:sudoRole +sudoUser:user0 +sudoHost:A00 +sudoRunAsUser: +sudoCommand: + +objectClass:sudoRole +sudoUser:user0 +sudoHost:A00 +sudoRunAs: +sudoCommand: +EOF diff --git a/plugins/sudoers/regress/cvtsudoers/test5.out.ok b/plugins/sudoers/regress/cvtsudoers/test5.out.ok new file mode 100644 index 0000000..d209fdf --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test5.out.ok @@ -0,0 +1,6 @@ +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec diff --git a/plugins/sudoers/regress/cvtsudoers/test5.sh b/plugins/sudoers/regress/cvtsudoers/test5.sh new file mode 100755 index 0000000..dd7782d --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test5.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test defaults type filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d all $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test6.out.ok b/plugins/sudoers/regress/cvtsudoers/test6.out.ok new file mode 100644 index 0000000..5e65e61 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test6.out.ok @@ -0,0 +1 @@ +Defaults syslog=auth diff --git a/plugins/sudoers/regress/cvtsudoers/test6.sh b/plugins/sudoers/regress/cvtsudoers/test6.sh new file mode 100755 index 0000000..a6c7ec4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test6.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test global defaults filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d global $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test7.out.ok b/plugins/sudoers/regress/cvtsudoers/test7.out.ok new file mode 100644 index 0000000..381de43 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test7.out.ok @@ -0,0 +1,2 @@ +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate diff --git a/plugins/sudoers/regress/cvtsudoers/test7.sh b/plugins/sudoers/regress/cvtsudoers/test7.sh new file mode 100755 index 0000000..2f1a301 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test7.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test user defaults filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d user $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test8.out.ok b/plugins/sudoers/regress/cvtsudoers/test8.out.ok new file mode 100644 index 0000000..7079ee0 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test8.out.ok @@ -0,0 +1 @@ +Defaults>root !set_logname diff --git a/plugins/sudoers/regress/cvtsudoers/test8.sh b/plugins/sudoers/regress/cvtsudoers/test8.sh new file mode 100755 index 0000000..d00f90e --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test8.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test runas defaults filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d runas $TESTDIR/sudoers + +exit 0 diff --git a/plugins/sudoers/regress/cvtsudoers/test9.out.ok b/plugins/sudoers/regress/cvtsudoers/test9.out.ok new file mode 100644 index 0000000..d2a39c4 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test9.out.ok @@ -0,0 +1 @@ +Defaults@SERVERS log_year, logfile=/var/log/sudo.log diff --git a/plugins/sudoers/regress/cvtsudoers/test9.sh b/plugins/sudoers/regress/cvtsudoers/test9.sh new file mode 100755 index 0000000..b668e1f --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test9.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test host defaults filtering +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -c "" -f sudoers -s aliases,privileges -d host $TESTDIR/sudoers + +exit 0 |