[sudo-users] Runas_User does not work as expected
Olaf Flebbe
o.flebbe at science-computing.de
Tue May 10 05:43:42 EDT 2005
Hi,
Suppose you like to be able luser to call a program "id" as everyone except
users flebbe and root.
---
luser ALL = (ALL,!flebbe,!root) /usr/bin/id
----
Effectively it can run id as everyone, except root. Sadly in 1.6.8p8 The !flebbe
clause is ignored. luser can call it as flebbe.
-------------
IMHO the root of the problem is quiet deep in the synatx and semantic of the
sudoers file.
You are allowed to write user lists both as a positive list and evenly allowed
to write it as a list of negations.
(one, two, three) meaning one _or_ two _or_ three.
I would expect negations to be grouped by and operations:
( ..., !one, !two, !three) meaning ... _and_ not one _and_ not two _and_ not
three.
IMHO one need some syntactic sugar to make a distinction between a list of
negations and a list of positives.
I would like to suggest to use '&' and '|': in parse.yacc.
----------------------
runaslist : oprunasuser { ; }
| runaslist '&' oprunasuser {
$$ = $1 && $3
}
| runaslist '|' oprunasuser {
$$ = $1 || $3
}
oprunasuser : runasuser { ; }
| '!' {
?????
}
} runasuser {
$$ = ! $3;
}
;
------------------------
Or am I missing something very obvious?
Cheers
Olaf
--
Dr. Olaf Flebbe science + computing ag
Leiter Softwareentwicklung Hagellocher Weg 71-75
phone +49 7071 9457 254 72070 Tuebingen, Germany
fax +49 7071 9457 511 www.science-computing.de
________________________________events | conferences
s+c Infoforum, 30. Juni 2005
SI-Centrum Stuttgart, Germany
More information about the sudo-users
mailing list