convert between sudoers file formats
cvtsudoers can be used to convert between
sudoers security policy file formats. The default input
format is sudoers. The default output format is LDIF. It is only possible to
convert a sudoers file that is syntactically correct.
If no input_file is specified, or if it is
-’, the policy is read from the
standard input. By default, the result is written to the standard
The options are as follows:
ou=SUDOers,dc=-mydomain,dc=comfor the domain
my-domain.com. If this option is not specified, the value of the
SUDOERS_BASEenvironment variable will be used instead. Only necessary when converting to LDIF format.
Defaultsentries of the specified types. One or more
Defaultstypes may be specified, separated by a comma (‘
,’). The supported types are:
-d option is not specified, all
Defaults entries will be converted.
Conversion to LDIF has the following limitations:
,’). The key may be “user”, “group” or “host”. For example, user = operator or host = www. An upper-case User_Alias or Host_Alias may be specified as the “user” or “host”.
A matching sudoers rule may also include
users, groups and hosts that are not part of the
filter. This can happen when a rule includes
multiple users, groups or hosts. To prune out any non-matching user,
group or host from the rules, the
-p option may
By default, the password and group databases are not consulted
when matching against the filter so the users and groups do not need to
be present on the local system (see the
option). Only aliases that are referenced by the filtered policy rules
will be displayed.
-moption is also specified, use password and group database information when matching users and groups in the filter. Only users and groups in the filter that exist on the local system will match, and a user's groups will automatically be added to the filter. If the
-Mis not specified, users and groups in the filter do not need to exist on the local system, but all groups used for matching must be explicitly listed in the filter.
-’, the converted sudoers policy will be written to the standard output.
-Ioption for details. Defaults to a starting point of 1. A starting point of 0 will disable the generation of sudoOrder attributes in the resulting LDIF file.
-moption is also specified,
cvtsudoerswill prune out non-matching users, groups and hosts from matching entries.
,’). The supported section name are: defaults, aliases and privileges (which may be shortened to privs).
cvtsudoersand sudoers grammar versions and exit.
Options in the form “keyword = value” may also be specified in a configuration file, /etc/cvtsudoers.conf by default. The following keywords are recognized:
-dcommand line option.
-ecommand line option.
-icommand line option.
-mcommand line option.
-Icommand line option.
-Ocommand line option.
-fcommand line option.
-pcommand line option.
-bcommand line option.
-scommand line option.
Options on the command line will override values from the configuration file.
Convert /etc/sudoers to LDIF (LDAP Data Interchange Format) where the ldap.conf file uses a sudoers_base of my-domain,dc=com, storing the result in sudoers.ldif:
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \ /etc/sudoers
Convert /etc/sudoers to JSON format, storing the result in sudoers.json:
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
Same as above, but expand aliases and prune out any non-matching users and hosts from the expanded entries.
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
Convert sudoers.ldif from LDIF to traditional sudoers format:
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
Many people have worked on
sudo over the
years; this version consists of code written primarily by:
See the CONTRIBUTORS file in the
distribution (https://www.sudo.ws/contributors.html) for an exhaustive list
of people who have contributed to
If you feel you have found a bug in
cvtsudoers, please submit a bug report at
Limited free support is available via the sudo-users mailing list, see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.
cvtsudoers is provided “AS
IS” and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed with
sudo or https://www.sudo.ws/license.html for