Man1 - cvtsudoers.1

Home DTOS Other Projects Knowledge Base Linux Manpages Community Contribute

can be used to convert between

security policy file formats. The default input format is sudoers. The default output format is LDIF. It is only possible to convert a

file that is syntactically correct.

If no

is specified, or if it is

the policy is read from the standard input. By default, the result is written to the standard output.

The options are as follows:

The base DN (distinguished name) that will be used when performing LDAP queries. Typically this is of the form

for the domain

If this option is not specified, the value of the

environment variable will be used instead. Only necessary when converting to LDIF format.

Specify the path to the configuration file. Defaults to

Only convert

entries of the specified types. One or more

types may be specified, separated by a comma

The supported types are:

All Defaults entries.

Global Defaults entries that are applied regardless of user, runas, host or command.

Per-user Defaults entries.

Per-runas user Defaults entries.

Per-host Defaults entries.

Per-command Defaults entries.

See the

section in

for more information.

If the

option is not specified, all

entries will be converted.

Expand aliases in

Aliases are preserved by default when the output

is JSON or sudoers.

Specify the output format (case-insensitive). The following formats are supported:

JSON (JavaScript Object Notation) files are usually easier for third-party applications to consume than the traditional

format. The various values have explicit types which removes much of the ambiguity of the

format.

LDIF (LDAP Data Interchange Format) files can be imported into an LDAP server for use with

Conversion to LDIF has the following limitations:

Command, host, runas and user-specific Defaults lines cannot be translated as they don’t have an equivalent in the sudoers LDAP schema.

Command, host, runas and user aliases are not supported by the sudoers LDAP schema so they are expanded during the conversion.

Traditional sudoers format. A new sudoers file will be reconstructed from the parsed input file. Comments are not preserved and data from any include files will be output inline.

Display a short help message to the standard output and exit.

Specify the input format. The following formats are supported:

LDIF (LDAP Data Interchange Format) files can be exported from an LDAP server to convert security policies used by

If a base DN (distinguished name) is specified, only sudoRole objects that match the base DN will be processed. Not all sudoOptions specified in a sudoRole can be translated from LDIF to sudoers format.

Traditional sudoers format. This is the default input format.

When generating LDIF output, increment each sudoOrder attribute by the specified number. Defaults to an increment of 1.

Only output rules that match the specified

A

expression is made up of one or more

pairs, separated by a comma

The

may be

or

For example,

or

An upper-case User_Alias or Host_Alias may be specified as the

or

A matching

rule may also include users, groups and hosts that are not part of the

This can happen when a rule includes multiple users, groups or hosts. To prune out any non-matching user, group or host from the rules, the

option may be used.

By default, the password and group databases are not consulted when matching against the filter so the users and groups do not need to be present on the local system (see the

option). Only aliases that are referenced by the filtered policy rules will be displayed.

When the

option is also specified, use password and group database information when matching users and groups in the filter. Only users and groups in the filter that exist on the local system will match, and a user’s groups will automatically be added to the filter. If the

is

specified, users and groups in the filter do not need to exist on the local system, but all groups used for matching must be explicitly listed in the filter.

Write the converted output to

If no

is specified, or if it is

the converted

policy will be written to the standard output.

When generating LDIF output, use the number specified by

in the sudoOrder attribute of the first sudoRole object. Subsequent sudoRole object use a sudoOrder value generated by adding an

see the

option for details. Defaults to a starting point of 1. A starting point of 0 will disable the generation of sudoOrder attributes in the resulting LDIF file.

When the

option is also specified,

will prune out non-matching users, groups and hosts from matching entries.

When generating LDIF output, construct the initial sudoOrder value by concatenating

and

padding the

with zeros until it consists of

digits. For example, if

is 1027,

is 3, and

is 1, the value of sudoOrder for the first entry will be 1027000, followed by 1027001, 1027002, etc. If the number of sudoRole entries is larger than the padding would allow,

will exit with an error. By default, no padding is performed.

Suppress the output of specific

of the security policy. One or more section names may be specified, separated by a comma

The supported section name are:

and

(which may be shortened to

Print the

and

grammar versions and exit.

Options in the form

may also be specified in a configuration file,

by default. The following keywords are recognized:

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

See the description of the

command line option.

Options on the command line will override values from the configuration file.

default configuration for cvtsudoers

Convert

to LDIF (LDAP Data Interchange Format) where the

file uses a

of my-domain,dc=com, storing the result in

$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \ /etc/sudoers

Convert

to JSON format, storing the result in

$ cvtsudoers -f json -o sudoers.json /etc/sudoers

Parse

and display only rules that match user

on host

$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers

Same as above, but expand aliases and prune out any non-matching users and hosts from the expanded entries.

$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers

Convert

from LDIF to traditional

format:

$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif

Many people have worked on

over the years; this version consists of code written primarily by:

See the CONTRIBUTORS file in the

distribution (https://www.sudo.ws/contributors.html) for an exhaustive list of people who have contributed to

If you feel you have found a bug in

please submit a bug report at https://bugzilla.sudo.ws/

Limited free support is available via the sudo-users mailing list, see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.

is provided

and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with

or https://www.sudo.ws/license.html for complete details.

Author: dt

Created: 2022-02-22 Tue 15:58