Sudoers Time Stamp file: Ruby parsing library

This spec can be used to parse sudo time stamp files located in directories such as /run/sudo/ts/$USER or /var/lib/sudo/ts/$USER.

KS implementation details

License: CC0-1.0

This page hosts a formal specification of Sudoers Time Stamp file using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

Usage

Runtime library

All parsing code for Ruby generated by Kaitai Struct depends on the Ruby runtime library. You have to install it before you can parse data.

The Ruby runtime library can be installed from RubyGems:

gem install kaitai-struct

Code

Parse a local file and get structure in memory:

data = SudoersTs.from_file("path/to/local/file.Sudoers Time Stamp file")

Or parse structure from a string of bytes:

bytes = "\x00\x01\x02..."
data = SudoersTs.new(Kaitai::Struct::Stream.new(bytes))

After that, one can get various attributes from the structure by invoking getter methods like:

data.records # => get records

Ruby source code to parse Sudoers Time Stamp file

sudoers_ts.rb

# This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

require 'kaitai/struct/struct'

unless Gem::Version.new(Kaitai::Struct::VERSION) >= Gem::Version.new('0.9')
  raise "Incompatible Kaitai Struct Ruby API: 0.9 or later is required, but you have #{Kaitai::Struct::VERSION}"
end


##
# This spec can be used to parse sudo time stamp files located in directories
# such as /run/sudo/ts/$USER or /var/lib/sudo/ts/$USER.
# @see https://www.sudo.ws/man/1.8.27/sudoers_timestamp.man.html Source
class SudoersTs < Kaitai::Struct::Struct

  TS_TYPE = {
    1 => :ts_type_global,
    2 => :ts_type_tty,
    3 => :ts_type_ppid,
    4 => :ts_type_lockexcl,
  }
  I__TS_TYPE = TS_TYPE.invert
  def initialize(_io, _parent = nil, _root = self)
    super(_io, _parent, _root)
    _read
  end

  def _read
    @records = []
    i = 0
    while not @_io.eof?
      @records << Record.new(@_io, self, @_root)
      i += 1
    end
    self
  end
  class RecordV2 < Kaitai::Struct::Struct
    def initialize(_io, _parent = nil, _root = self)
      super(_io, _parent, _root)
      _read
    end

    def _read
      @type = Kaitai::Struct::Stream::resolve_enum(SudoersTs::TS_TYPE, @_io.read_u2le)
      @flags = TsFlag.new(@_io, self, @_root)
      @auth_uid = @_io.read_u4le
      @sid = @_io.read_u4le
      @start_time = Timespec.new(@_io, self, @_root)
      @ts = Timespec.new(@_io, self, @_root)
      if type == :ts_type_tty
        @ttydev = @_io.read_u4le
      end
      if type == :ts_type_ppid
        @ppid = @_io.read_u4le
      end
      self
    end

    ##
    # record type
    attr_reader :type

    ##
    # record flags
    attr_reader :flags

    ##
    # user ID that was used for authentication
    attr_reader :auth_uid

    ##
    # ID of the user's terminal session, if present (when type is TS_TTY)
    attr_reader :sid

    ##
    # start time of the session leader for records of type TS_TTY or of the parent process for records of type TS_PPID
    attr_reader :start_time

    ##
    # actual time stamp, from a monotonic time source
    attr_reader :ts

    ##
    # device number of the terminal associated with the session
    attr_reader :ttydev

    ##
    # ID of the parent process
    attr_reader :ppid
  end
  class TsFlag < Kaitai::Struct::Struct
    def initialize(_io, _parent = nil, _root = self)
      super(_io, _parent, _root)
      _read
    end

    def _read
      @reserved0 = @_io.read_bits_int_be(6)
      @anyuid = @_io.read_bits_int_be(1) != 0
      @disabled = @_io.read_bits_int_be(1) != 0
      @reserved1 = @_io.read_bits_int_be(8)
      self
    end

    ##
    # Reserved (unused) bits
    attr_reader :reserved0

    ##
    # ignore uid
    attr_reader :anyuid

    ##
    # entry disabled
    attr_reader :disabled

    ##
    # Reserved (unused) bits
    attr_reader :reserved1
  end
  class RecordV1 < Kaitai::Struct::Struct
    def initialize(_io, _parent = nil, _root = self)
      super(_io, _parent, _root)
      _read
    end

    def _read
      @type = Kaitai::Struct::Stream::resolve_enum(SudoersTs::TS_TYPE, @_io.read_u2le)
      @flags = TsFlag.new(@_io, self, @_root)
      @auth_uid = @_io.read_u4le
      @sid = @_io.read_u4le
      @ts = Timespec.new(@_io, self, @_root)
      if type == :ts_type_tty
        @ttydev = @_io.read_u4le
      end
      if type == :ts_type_ppid
        @ppid = @_io.read_u4le
      end
      self
    end

    ##
    # record type
    attr_reader :type

    ##
    # record flags
    attr_reader :flags

    ##
    # user ID that was used for authentication
    attr_reader :auth_uid

    ##
    # session ID associated with tty/ppid
    attr_reader :sid

    ##
    # time stamp, from a monotonic time source
    attr_reader :ts

    ##
    # device number of the terminal associated with the session
    attr_reader :ttydev

    ##
    # ID of the parent process
    attr_reader :ppid
  end
  class Timespec < Kaitai::Struct::Struct
    def initialize(_io, _parent = nil, _root = self)
      super(_io, _parent, _root)
      _read
    end

    def _read
      @sec = @_io.read_s8le
      @nsec = @_io.read_s8le
      self
    end

    ##
    # seconds
    attr_reader :sec

    ##
    # nanoseconds
    attr_reader :nsec
  end
  class Record < Kaitai::Struct::Struct
    def initialize(_io, _parent = nil, _root = self)
      super(_io, _parent, _root)
      _read
    end

    def _read
      @version = @_io.read_u2le
      @len_record = @_io.read_u2le
      case version
      when 1
        @_raw_payload = @_io.read_bytes((len_record - 4))
        _io__raw_payload = Kaitai::Struct::Stream.new(@_raw_payload)
        @payload = RecordV1.new(_io__raw_payload, self, @_root)
      when 2
        @_raw_payload = @_io.read_bytes((len_record - 4))
        _io__raw_payload = Kaitai::Struct::Stream.new(@_raw_payload)
        @payload = RecordV2.new(_io__raw_payload, self, @_root)
      else
        @payload = @_io.read_bytes((len_record - 4))
      end
      self
    end

    ##
    # version number of the timestamp_entry struct
    attr_reader :version

    ##
    # size of the record in bytes
    attr_reader :len_record
    attr_reader :payload
    attr_reader :_raw_payload
  end
  attr_reader :records
end