* Added support to specify @group values for the --targets parameter and in the targets file(s)

* Added support for nested aliases: up to 5 levels deep instead of just
one level
* Added --resolve-alias/--alias command-line parameter to manually check
the resolution any alias
* Fixed propagation of --debug flag (to clients & slaves)
* Fixed propagation of --create-dir flag (to clients & slaves)
* Fixed problem in --fix-local routine (by adding optional --fix-user
command-line parameter and code)
* Fixed check when adding key to ssh-agent
* Added checking on alias resolution in --check-syntax routine
* Better trap setting
* Added typeset-ing to vars
* Switched version numbering (now date based)
* Code cleanup (now error & warning free in shellcheck/perlcritic
linters)

manage_sudo.conf

@@ -13,7 +13,7 @@
 # (leave blank for current user)
 SUDO_TRANSFER_USER=""
 
-# name of the OS group that should own the SUDO controls files
+# name of the UNIX group that should own the SUDO controls files (must exist already)
 SUDO_OWNER_GROUP="sudoadmin"
 
 # whether a 'chmod' needs to be executed after each sftp transfer [0=No; 1=Yes]

update_sudo.pl

@@ -43,12 +43,14 @@ use File::Temp qw(tempfile);
 #******************************************************************************
 
 # ------------------------- CONFIGURATION starts here -------------------------
-# define the V.R.F (version/release/fix)
+# define the version (YYYY-MM-DD)
-my $MY_VRF = "1.1.4";
+my $script_version = "2018-11-03";
 # name of global configuration file (no path, must be located in the script directory)
 my $global_config_file = "update_sudo.conf";
 # name of localized configuration file (no path, must be located in the script directory)
 my $local_config_file = "update_sudo.conf.local";
+# maxiumum level of recursion for alias resolution
+my $max_recursion = 5;
 # selinux context label of sudoers fragment files
 my $selinux_context = "etc_t";
 # ------------------------- CONFIGURATION ends here ---------------------------
@@ -57,7 +59,7 @@ my ($debug, $verbose, $preview, $global, $use_fqdn) = (0,0,0,0,0);
 my (@config_files, $fragments_dir, $visudo_bin, $immutable_self_file, $immutable_self_cmd);
 my (%options, @uname, %aliases, %frags, @grants);
 my ($os, $host, $hostname, $run_dir);
-my ($selinux_status, $has_selinux) = ("",0);
+my ($selinux_status, $has_selinux, $recursion_count) = ("",0,1);
 $|++;
 
 
@@ -190,7 +192,7 @@ pod2usage(-verbose => 0) unless (%options);
 # check version parameter
 if ($options{'version'}) {
     $verbose = 1;
-    do_log ("INFO: $0: version $MY_VRF");
+    do_log ("INFO: $0: version $script_version");
     exit (0);
 }
 # check help parameter
@@ -307,13 +309,44 @@ close (ALIASES);
 do_log ("DEBUG: dumping unexpanded aliases:");
 print Dumper (\%aliases) if $debug;
 
-# we can nest aliases one level deep, so do a one-level recursive sort of lookup
+# resolve aliases recursively to a maxium of $max_recursion
-# of the remaining '@' aliases. Input should be passed as comma-separated
+while ($recursion_count <= $max_recursion) {
-# string to resolve_aliases so don't forget to smash everything back together
+    # crawl over all items in the hash %aliases
-# first.
+    foreach my $key (keys (%aliases)) {
-foreach my $key (keys (%aliases)) {
+        # crawl over all items in the array @{aliases{$key}}
-
+        my @new_array; my @filtered_array;  # these are the working stashes
-    $aliases{$key} = [resolve_aliases (join (",", @{$aliases{$key}}))]; 
+        do_log ("DEBUG: expanded alias $key before recursion $recursion_count [$hostname]");
+        print Dumper (\@{$aliases{$key}}) if $debug;
+        foreach my $item (@{$aliases{$key}}) {
+            # is it a group?
+            if ($item =~ /^\@/) {
+                # expand the group if it exists
+                if ($aliases{$item}) {
+                    # add current and new items to the working stash
+                    if (@new_array) {
+                        push (@new_array, @{$aliases{$item}});
+                    } else {
+                        @new_array = (@{$aliases{$key}}, @{$aliases{$item}});
+                    }
+                    # remove the original group item from the working stash
+                    @filtered_array = grep { $_ ne $item } @new_array;
+                    @new_array = @filtered_array;
+                } else {
+                    do_log ("WARN: unable to resolve alias $item [$hostname]");
+                }
+            # no group, just add the item as-is to working stash
+            } else {
+                push (@new_array, $item);
+            }
+        }
+        my %seen;
+        @filtered_array = grep { not $seen{$_}++ } @new_array;
+        # re-assign working stash back to our original hash key
+        @{$aliases{$key}} = @filtered_array;
+        do_log ("DEBUG: expanded alias $key after recursion $recursion_count [$hostname]");
+        print Dumper (\@{$aliases{$key}}) if $debug;
+    }
+    $recursion_count++;
 }
 
 do_log ("INFO: ".scalar (keys (%aliases))." aliases found on $hostname");
@@ -734,15 +767,3 @@ S<       >Show version of the script.
 =head1 AUTHOR
 
 (c) KUDOS BVBA, Patrick Van der Veken
-
-=head1 HISTORY
-
-@(#) 2014-12-04: VRF 1.0.0: first version [Patrick Van der Veken]
-@(#) 2014-12-16: VRF 1.0.1: added SELinux context [Patrick Van der Veken]
-@(#) 2014-12-16: VRF 1.0.2: fixed a problem with the immutable self fragment code [Patrick Van der Veken]
-@(#) 2015-02-02: VRF 1.0.3: changed 'basename' into 'fileparse' call to support fragment files with extensions [Patrick Van der Veken]
-@(#) 2015-08-18: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken]
-@(#) 2015-08-26: VRF 1.1.1: small and not so small fixes [Patrick Van der Veken]
-@(#) 2015-08-27: VRF 1.1.2: small fix [Patrick Van der Veken]
-@(#) 2015-09-09: VRF 1.1.3: small selinux fix [Patrick Van der Veken]
-@(#) 2015-09-09: VRF 1.1.4: wrong handling of RC=0 in system() [Patrick Van der Veken]