sudo/docs/cvtsudoers.mdoc.in

.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2018, 2021-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd April 26, 2024
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm cvtsudoers
.Nd convert between sudoers file formats
.Sh SYNOPSIS
.Nm cvtsudoers
.Op Fl ehMpV
.Op Fl b Ar dn
.Op Fl c Ar conf_file
.Op Fl d Ar deftypes
.Op Fl f Ar output_format
.Op Fl i Ar input_format
.Op Fl I Ar increment
.Op Fl l Ar log_file
.Op Fl m Ar filter
.Op Fl o Ar output_file
.Op Fl O Ar start_point
.Op Fl P Ar padding
.Op Fl s Ar sections
.Op Ar input_file ...
.Sh DESCRIPTION
The
.Nm
utility accepts one or more security policies in either
.Em sudoers
or LDIF format as input, and generates a single
policy of the specified format as output.
The default input format is
.Em sudoers.
The default output format is LDIF.
It is only possible to convert a policy file that is syntactically correct.
.Pp
If no
.Ar input_file
is specified, or if it is
.Ql - ,
the policy is read from the standard input.
Input files may be optionally prefixed with a host name followed by a colon
.Pq Ql :\&
to make the policy rules specific to a host when merging multiple files.
By default, the result is written to the standard output.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl b Ar dn , Fl -base Ns = Ns Ar dn
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
.Dq ou=SUDOers,dc=my-domain,dc=com
for the domain my-domain.com.
If this option is not specified, the value of the
.Ev SUDOERS_BASE
environment variable will be used instead.
Only necessary when converting to LDIF format.
.It Fl c Ar conf_file , Fl -config Ns = Ns Ar conf_file
Specify the path to the configuration file.
Defaults to
.Pa @sysconfdir@/cvtsudoers.conf .
.It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes
Only convert
.Em Defaults
entries of the specified types.
One or more
.Em Defaults
types may be specified, separated by a comma
.Pq Ql \&, .
The supported types are:
.Bl -tag -width "command"
.It all
All Defaults entries.
.It global
Global Defaults entries that are applied regardless of
user, runas, host, or command.
.It user
Per-user Defaults entries.
.It runas
Per-runas user Defaults entries.
.It host
Per-host Defaults entries.
.It command
Per-command Defaults entries.
.El
.Pp
See the
.Sy Defaults
section in
.Xr sudoers @mansectform@
for more information.
.Pp
If the
.Fl d
option is not specified, all
.Em Defaults
entries will be converted.
.It Fl e , Fl -expand-aliases
Expand aliases in
.Ar input_file .
Aliases are preserved by default when the output
.Ar format
is JSON or sudoers.
.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive).
The following formats are supported:
.Bl -tag -width "sudoers"
.It CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
See
.Sx CSV output format
for more details.
.It JSON
JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional
.Em sudoers
format.
The various values have explicit types which removes much of the
ambiguity of the
.Em sudoers
format.
See
.Sx JSON output format
for more details.
.It LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with
.Xr sudoers.ldap @mansectform@ .
.Pp
Conversion to LDIF has the following limitations:
.Bl -bullet -width 1n
.It
Command, host, runas, and user-specific Defaults lines cannot be
translated as they don't have an equivalent in the sudoers LDAP schema.
.It
Command, host, runas, and user aliases are not supported by the
sudoers LDAP schema so they are expanded during the conversion.
.El
.It sudoers
Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file.
Comments are not preserved and data from any include files will be
output inline.
.El
.It Fl -group-file Ns = Ns Ar file
When the
.Fl M
option is also specified, perform group queries using
.Ar file
instead of the system group database.
.It Fl h , Fl -help
Display a short help message to the standard output and exit.
.It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format
Specify the input format.
The following formats are supported:
.Bl -tag -width "sudoers"
.It LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
.Xr sudoers.ldap @mansectform@ .
If a base DN (distinguished name) is specified, only sudoRole objects
that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format.
.It sudoers
Traditional sudoers format.
This is the default input format.
.El
.It Fl I Ar increment , Fl -increment Ns = Ns Ar increment
When generating LDIF output, increment each sudoOrder attribute by
the specified number.
Defaults to an increment of 1.
.It Fl l Ar log_file , Fl -logfile Ns = Ns Ar log_file
Log conversion warnings to
.Ar log_file
instead of to the standard error.
This is particularly useful when merging multiple
.Em sudoers
files, which can generate a large number of warnings.
.It Fl m Ar filter , Fl -match Ns = Ns Ar filter
Only output rules that match the specified
.Ar filter .
A
.Ar filter
expression is made up of one or more
.Sy key = Ar value
pairs, separated by a comma
.Pq Ql \&, .
The
.Sy key
may be
.Dq cmnd
.Pq or Dq cmd ,
.Dq host ,
.Dq group ,
or
.Dq user .
For example,
.Sy user No = Ar operator
or
.Sy host No = Ar www .
An upper-case
.Em Cmnd_Alias ,
.Em Host_alias ,
or
.Em User_Alias
may be specified as the
.Dq cmnd ,
.Dq host ,
or
.Dq user .
.Pp
A matching
.Em sudoers
rule may also include users, groups, and hosts that are not part of the
.Ar filter .
This can happen when a rule includes multiple users, groups, or hosts.
To prune out any non-matching user, group, or host from the rules, the
.Fl p
option may be used.
.Pp
By default, the password and group databases are not consulted when matching
against the filter so the users and groups do not need to be present
on the local system (see the
.Fl M
option).
Only aliases that are referenced by the filtered policy rules will
be displayed.
.It Fl M , Fl -match-local
When the
.Fl m
option is also specified, use password and group database information
when matching users and groups in the filter.
Only users and groups in the filter that exist on the local system will match,
and a user's groups will automatically be added to the filter.
If the
.Fl M
is
.Em not
specified, users and groups in the filter do not need to exist on the
local system, but all groups used for matching must be explicitly listed
in the filter.
.It Fl o Ar output_file , Fl -output Ns = Ns Ar output_file
Write the converted output to
.Ar output_file .
If no
.Ar output_file
is specified, or if it is
.Ql - ,
the converted
.Em sudoers
policy will be written to the standard output.
.It Fl O Ar start_point , Fl -order-start Ns = Ns Ar start_point
When generating LDIF output, use the number specified by
.Ar start_point
in the sudoOrder attribute of the first sudoRole object.
Subsequent sudoRole object use a sudoOrder value generated by adding an
.Ar increment ,
see the
.Fl I
option for details.
Defaults to a starting point of 1.
A starting point of 0 will disable the generation of sudoOrder
attributes in the resulting LDIF file.
.It Fl -passwd-file Ns = Ns Ar file
When the
.Fl M
option is also specified, perform passwd queries using
.Ar file
instead of the system passwd database.
.It Fl p , Fl -prune-matches
When the
.Fl m
option is also specified,
.Nm
will prune out non-matching users, groups, and hosts from
matching entries.
.It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
When generating LDIF output, construct the initial sudoOrder value by
concatenating
.Ar order_start
and
.Ar increment ,
padding the
.Ar increment
with zeros until it consists of
.Ar padding
digits.
For example, if
.Ar order_start
is 1027,
.Ar padding
is 3, and
.Ar increment
is 1, the value of sudoOrder for the first entry will be 1027000,
followed by 1027001, 1027002, etc.
If the number of sudoRole entries is larger than the padding would allow,
.Nm
will exit with an error.
By default, no padding is performed.
.It Fl s Ar sections , Fl -suppress Ns = Ns Ar sections
Suppress the output of specific
.Ar sections
of the security policy.
One or more section names may be specified, separated by a comma
.Pq Ql \&, .
The supported section name are:
.Sy defaults ,
.Sy aliases
and
.Sy privileges
(which may be shortened to
.Sy privs ) .
.It Fl V , -version
Print the
.Nm
and
.Em sudoers
grammar versions and exit.
.El
.Ss Merging multiple files
When multiple input files are specified,
.Nm
will attempt to merge them into a single policy file.
It is assumed that user and group names are consistent among
the policy files to be merged.
For example, user
.Dq bob
on one host is the same as user
.Dq bob
on another host.
.Pp
When merging policy files, it is possible to prefix the input file name
with a host name, separated by a colon
.Pq Ql :\& .
When the files are merged, the host name will be used to restrict
the policy rules to that specific host where possible.
.Pp
The merging process is performed as follows:
.Bl -bullet -width 1n
.It
Each input file is parsed into internal sudoers data structures.
.It
Aliases are merged and renamed as necessary to avoid conflicts.
In the event of a conflict, the first alias found is left as-is and
subsequent aliases of the same name are renamed with a numeric suffix
separated with a underscore
.Pq Ql _ .
For example, if there are two different aliases named
.Dv SERVERS ,
the first will be left as-is and the second will be renamed
.Dv SERVERS_1 .
References to the renamed alias are also updated in the policy file.
Duplicate aliases (those with identical contents) are pruned.
.It
Defaults settings are merged and duplicates are removed.
If there are conflicts in the Defaults settings, a warning is emitted for
each conflict.
If a host name is specified with the input file,
.Nm
will change the global Defaults settings in that file to be host-specific.
A warning is emitted for command, user, or runas-specific Defaults settings
which cannot be made host-specific.
.It
Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
.Nm
will change rules that specify a host name of
.Sy ALL
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
.El
.Pp
It is possible to merge policy files with differing formats.
.Ss The cvtsudoers.conf file
Options in the form
.Dq keyword = value
may also be specified in a configuration file,
.Pa @sysconfdir@/cvtsudoers.conf
by default.
The following keywords are recognized:
.Bl -tag -width 4n
.It Sy defaults = Ar deftypes
See the description of the
.Fl d
command line option.
.It Sy expand_aliases = Ar yes | no
See the description of the
.Fl e
command line option.
.It Sy group_file = Ar file
See the description of the
.Fl -group-file
command line option.
.It Sy input_format = Ar ldif | sudoers
See the description of the
.Fl i
command line option.
.It Sy match = Ar filter
See the description of the
.Fl m
command line option.
.It Sy match_local = Ar yes | no
See the description of the
.Fl M
command line option.
.It Sy order_increment = Ar increment
See the description of the
.Fl I
command line option.
.It Sy order_start = Ar start_point
See the description of the
.Fl O
command line option.
.It Sy output_format = Ar csv | json | ldif | sudoers
See the description of the
.Fl f
command line option.
.It Sy padding = Ar padding
See the description of the
.Fl P
command line option.
.It Sy passwd_file = Ar file
See the description of the
.Fl -passwd-file
command line option.
.It Sy prune_matches = Ar yes | no
See the description of the
.Fl p
command line option.
.It Sy sudoers_base = Ar dn
See the description of the
.Fl b
command line option.
.It Sy suppress = Ar sections
See the description of the
.Fl s
command line option.
.El
.Pp
Options on the command line will override values from the
configuration file.
.Ss JSON output format
The
.Em sudoers
JSON format may contain any of the following top-level objects:
.Bl -tag -width 4n
.It Defaults
An array of objects, each containing an
.Em Options
array and an optional
.Em Binding
array.
.Pp
The
.Em Options
array consists of one or more objects, each containing a
.Dq name:value
pair that corresponds to a
.Em sudoers
.Em Defaults
setting.
.Em Options
that operate on a list will also include an
.Em operation
entry in the object, with a value of
.Dq list_assign
for
.Ql = ,
.Dq list_add
for
.Ql += ,
or
.Dq list_remove
for
.Ql -= .
.Pp
The optional
.Em Binding
array consists of one or more objects, each containing a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
If a
.Em Binding
is present, the setting will only take effect if one of the specified
.Em command ,
.Em hostname ,
.Em netgroup ,
.Em networkaddr ,
.Em nonunixgid ,
.Em nonunixgroup ,
.Em usergid ,
.Em usergroup ,
.Em userid ,
.Em username ,
or alias entries match.
.Pp
For example, the following
.Em sudoers
entry:
.Bd -literal
Defaults@somehost set_home, env_keep += DISPLAY
.Ed
.Pp
converts to:
.Bd -literal
"Defaults": [
    {
        "Binding": [
            { "hostname": "somehost" }
        ],
        "Options": [
            { "set_home": true },
            {
                "operation": "list_add",
                "env_keep": [
                    "DISPLAY"
                ]
            }
        ]
    }
]
.Ed
.It User_Aliases
A JSON object containing one or more
.Em sudoers
.Em User_Alias
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em netgroup ,
.Em nonunixgid ,
.Em nonunixgroup ,
.Em useralias ,
.Em usergid ,
.Em usergroup ,
.Em userid ,
or
.Em username .
.Pp
For example, the following
.Em sudoers
entry:
.Bd -literal
User_Alias SYSADMIN = will, %wheel, +admin
.Ed
.Pp
converts to:
.Bd -literal
"User_Aliases": {
    "SYSADMIN": [
        { "username": "will" },
        { "usergroup": "wheel" },
        { "netgroup": "admin" }
    ]
}
.Ed
.It Runas_Aliases
A JSON object containing one or more
.Em sudoers
.Em Runas_Alias
entries, where each named alias has as its value an array
containing one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em netgroup ,
.Em nonunixgid ,
.Em nonunixgroup ,
.Em runasalias ,
.Em usergid ,
.Em usergroup ,
.Em userid ,
or
.Em username .
.Pp
For example, the following
.Em sudoers
entry:
.Bd -literal
Runas_Alias DB = oracle, sybase : OP = root, operator
.Ed
.Pp
converts to:
.Bd -literal
"Runas_Aliases": {
    "DB": [
        { "username": "oracle" },
        { "username": "sybase" }
    ],
    "OP": [
        { "username": "root" },
        { "username": "operator" }
    ]
}
.Ed
.It Host_Aliases
A JSON object containing one or more
.Em sudoers
.Em Host_Alias
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em hostalias ,
.Em hostname ,
.Em netgroup ,
or
.Em networkaddr .
.Pp
For example, the following
.Em sudoers
entries:
.Bd -literal
Host_Alias DORMNET = 128.138.243.0, 128.138.204.0/24
Host_Alias SERVERS = boulder, refuge
.Ed
.Pp
convert to:
.Bd -literal
"Host_Aliases": {
    "DORMNET": [
        { "networkaddr": "128.138.243.0" },
        { "networkaddr": "128.138.204.0/24" }
    ],
    "SERVERS": [
        { "hostname": "boulder" },
        { "hostname": "refuge" }
    ]
}
.Ed
.It Cmnd_Aliases
A JSON object containing one or more
.Em sudoers
.Em Cmnd_Alias
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be either another
.Em cmndalias
or a
.Em command .
For example, the following
.Em sudoers
entries:
.Bd -literal
Cmnd_Alias SHELLS = /bin/bash, /bin/csh, /bin/sh, /bin/zsh
Cmnd_Alias VIPW = /usr/bin/chpass, /usr/bin/chfn, /usr/bin/chsh, \e
                  /usr/bin/passwd, /usr/sbin/vigr, /usr/sbin/vipw
.Ed
.Pp
convert to:
.Bd -literal
"Cmnd_Aliases": {
    "SHELLS": [
        { "command": "/bin/bash" },
        { "command": "/bin/csh" },
        { "command": "/bin/sh" },
        { "command": "/bin/zsh" }
    ],
    "VIPW": [
        { "command": "/usr/bin/chpass" },
        { "command": "/usr/bin/chfn" },
        { "command": "/usr/bin/chsh" },
        { "command": "/usr/bin/passwd" },
        { "command": "/usr/sbin/vigr" },
        { "command": "/usr/sbin/vipw" }
    ]
}
.Ed
.It User_Specs
A JSON array containing one or more objects, each representing a
.Em sudoers
User_Spec.
Each object in the
.Em User_Specs
array should contain a
.Em User_List
array, a
.Em Host_List
array and a
.Em Cmnd_Specs
array.
.Pp
A
.Em User_List
consists of one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em netgroup ,
.Em nonunixgid ,
.Em nonunixgroup ,
.Em useralias ,
.Em usergid ,
.Em usergroup ,
.Em userid ,
or
.Em username .
If
.Em username
is set to the special value
.Sy ALL ,
it will match any user.
.Pp
A
.Em Host_List
consists of one or more objects.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em hostalias ,
.Em hostname ,
.Em netgroup ,
or
.Em networkaddr .
If
.Em hostname
is set to the special value
.Sy ALL ,
it will match any host.
.Pp
The
.Em Cmnd_Specs
array consists of one or more JSON objects describing a command that
may be run.
Each
.Em Cmnd_Specs
is made up of a
.Em Commands
array, an optional
.Em runasusers
array, an optional
.Em runasgroups
array, and an optional
.Em Options array.
.Pp
The
.Em Commands
array consists of one or more objects containing
.Dq name:value
pair elements.
The following names and values are supported:
.Bl -tag -width "command"
.It command
A string containing the command to run.
The special value
.Sy ALL
it will match any command.
.It negated
A boolean value that, if true, will negate any comparison performed
with the object.
.It sha224
One or more SHA224 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha256
One or more SHA256 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha384
One or more SHA384 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha512
One or more SHA512 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.El
.Pp
The
.Em runasusers
array consists of objects describing users the command may be run as.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em netgroup ,
.Em nonunixgid ,
.Em nonunixgroup ,
.Em runasalias ,
.Em usergid ,
.Em usergroup ,
.Em userid ,
or
.Em username .
If
.Em username
is set to the special value
.Sy ALL ,
it will match any user.
If
.Em username
is set to the empty string
.Dq "" ,
it will match the invoking user.
.Pp
The
.Em runasgroups
array consists of objects describing groups the command may be run as.
Each object contains a
.Dq name:value
pair and an optional
.Em negated
entry, which will negate any comparison performed with the object.
The name may be one of
.Em runasalias ,
.Em usergid ,
or
.Em usergroup .
If
.Em usergroup
is set to the special value
.Sy ALL ,
it will match any group.
.Pp
The
.Em Options
array is of the same format as the one in the
.Em Defaults
object.
Any
.Em Tag_Spec
entries in
.Em sudoers
are converted to
.Em Options .
A user with
.Dq sudo ALL
privileges will automatically have the
.Em setenv
option enabled to match the implicit behavior provided by
.Em sudoers .
.Pp
For example, the following
.Em sudoers
entry:
.Bd -literal
millert ALL = (ALL : ALL) NOPASSWD: ALL, !/usr/bin/id
.Ed
.Pp
converts to:
.Bd -literal
"User_Specs": [
    {
        "User_List": [
            { "username": "millert" }
        ],
        "Host_List": [
            { "hostname": "ALL" }
        ],
        "Cmnd_Specs": [
            {
                "runasusers": [
                    { "username": "ALL" }
                ],
                "runasgroups": [
                    { "usergroup": "ALL" }
                ],
                "Options": [
                    { "authenticate": false },
                    { "setenv": true }
                ],
                "Commands": [
                    { "command": "ALL" },
                    {
                        "command": "/usr/bin/id",
                        "negated": true
                    }
                ]
            }
        ]
    }
]
.Ed
.El
.Ss CSV output format
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
For CSV output,
.Nm
double quotes strings that contain commas.
For each literal double quote character present inside the string,
two double quotes are output.
This method of quoting commas is compatible with most spreadsheet programs.
.Pp
There are three possible sections in
.Nm cvtsudoers Ns 's
CSV output, each separated by a blank line:
.Bl -tag -width 4n
.It defaults
This section includes any
.Em Defaults
settings in
.Em sudoers .
The
.Em defaults
section begins with the following heading:
.Bd -literal -offset indent
defaults_type,binding,name,operator,value
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 4n
.It defaults_type
The type of
.Em Defaults
setting; one of
.Em defaults ,
.Em defaults_command ,
.Em defaults_host ,
.Em defaults_runas ,
or
.Em defaults_user .
.It binding
For
.Em defaults_command ,
.Em defaults_host ,
.Em defaults_runas ,
and
.Em defaults_user
this is the value that must match for the setting to be applied.
.It name
The name of the
.Em Defaults
setting.
.It operator
The operator determines how the value is applied to the setting.
It may be either
.Ql =
(assignment),
.Ql +=
(append),
or
.Ql -=
(remove).
.It value
The setting's value, usually a string or, for
settings used in a boolean context,
.Em true
or
.Em false .
.El
.It aliases
This section includes any
.Em Cmnd_Alias
.Em Host_Alias ,
.Em Runas_Alias ,
or
.Em User_Alias ,
entries from
.Em sudoers .
The
.Em aliases
section begins with the following heading:
.Bd -literal -offset indent
alias_type,alias_name,members
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 4n
.It alias_type
The type of alias; one of
.Em Cmnd_Alias ,
.Em Host_Alias ,
.Em Runas_Alias ,
or
.Em User_Alias .
.It alias_name
The name of the alias; a string starting with an upper-case letter that
consists of upper-case letters, digits, or underscores.
.It members
A comma-separated list of members belonging to the alias.
Due to the use of commas,
.Em members
is surrounded by double quotes if it contains more than one member.
.El
.It rules
This section includes the
.Em sudoers
rules that grant privileges.
The
.Em rules
section begins with the following heading:
.Bd -literal -offset indent
rule,user,host,runusers,rungroups,options,command
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 4n
.It rule
This field indicates a
.Em sudoers
.Em rule
entry.
.It user
The user the rule applies to.
This may also be a Unix group (preceded by a
.Ql %
character), a non-Unix group (preceded by
.Ql %: )
or a netgroup (preceded by a
.Ql +
character)
or a
.Em User_Alias .
If set to the special value
.Sy ALL ,
it will match any user.
.It host
The host the rule applies to.
This may also be a netgroup (preceded by a
.Ql +
character)
or a
.Em Host_Alias .
If set to the special value
.Sy ALL ,
it will match any host.
.It runusers
An optional comma-separated list of users (or
.Em Runas_Alias Ns No es )
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.
If set to the special value
.Sy ALL ,
it will match any user.
If empty, the root user is assumed.
.It rungroups
An optional comma-separated list of groups (or
.Em Runas_Alias Ns No es )
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.
If set to the special value
.Sy ALL ,
it will match any group.
If empty, the
.Em runuser Ns 's
group is used.
.It options
An optional list of
.Em Defaults
settings to apply to the command.
Any
.Em Tag_Spec
entries in
.Em sudoers
are converted to
.Em options .
.It commands
A list of commands, with optional arguments, that the user is allowed to run.
If set to the special value
.Sy ALL ,
it will match any command.
.El
.Pp
For example, the following
.Em sudoers
entry:
.Bd -literal
millert ALL = (ALL : ALL) NOPASSWD: ALL, !/usr/bin/id
.Ed
.Pp
converts to:
.Bd -literal
rule,millert,ALL,ALL,ALL,"!authenticate","ALL,!/usr/bin/id"
.Ed
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/cvtsudoers.conf
default configuration for cvtsudoers
.El
.Sh EXAMPLES
Convert
.Pa /etc/sudoers
to LDIF (LDAP Data Interchange Format) where the
.Pa ldap.conf
file uses a
.Em sudoers_base
of my-domain,dc=com, storing the result in
.Pa sudoers.ldif :
.Bd -literal -offset 4n
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
             /etc/sudoers
.Ed
.Pp
Convert
.Pa /etc/sudoers
to JSON format, storing the result in
.Pa sudoers.json :
.Bd -literal -offset 4n
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.Ed
.Pp
Parse
.Pa /etc/sudoers
and display only rules that match user
.Em ambrose
on host
.Em hastur :
.Bd -literal -offset 4n
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.Bd -literal -offset 4n
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
Convert
.Pa sudoers.ldif
from LDIF to traditional
.Em sudoers
format:
.Bd -literal -offset 4n
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.Ed
.Pp
Merge a global
.Em sudoers
file with two host-specific policy files from the hosts
.Dq xyzzy
and
.Dq plugh :
.Bd -literal -offset 4n
$ cvtsudoers -f sudoers -o sudoers.merged sudoers \e
    xyzzy:sudoers.xyzzy plugh:sudoers.plugh
.Ed
.Sh SEE ALSO
.Xr sudoers @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS.md file in the
.Nm sudo
distribution (https://www.sudo.ws/about/contributors/) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE.md file distributed with
.Nm sudo
or https://www.sudo.ws/about/license/ for complete details.