[sudo-users] Request for feedback: regular expressions in sudoers
Todd C. Miller
Todd.Miller at courtesan.com
Tue Dec 11 13:18:33 EST 2012
I'm planning to include support for regular expression matching of
commands in the next sudo release. This is something I've wanted
to do for over ten years. Most likely this would use the pcre
library to support perl-compatible regular expressions.
One of the main stumbling blocks has been the matter of how to
specify the regex in the sudoers file. There are two options I've
been thinking about, but perhaps you all come up with better ones.
Option 1:
Precede the regular expression with an 'm' like perl does where
the character after the 'm' is the quote character that begins
and ends the expression. E.g.
millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
!/usr/bin/passwd root
This is flexible but more difficult to parse since we don't
know what the quote character is until we start parsing.
Option 2:
Require that regular expressions start with a ^ and end with a $
millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
!/usr/bin/passwd root
In this case we forgo the quote character entirely and require
that the expression be anchored with ^ and $.
Advantages of Option 1:
o similar to perl's 'm' (match) operator.
o can support partial matches (the ^ and $ are optional).
o can support multiline matches (where ^ and $ match the end
of the line, not the end of the expression); doesn't useful
in practice.
Advantages of Option 2:
o easier to parse; we know we are looking for a '$' to end the
regex.
o potentially less error prone as all expressions require '^'
and '$' anchors.
o could conceivably use regex for hostnames; no ambiguity between
m... and a hostname that begins with the letter m.
Thoughts?
- todd
More information about the sudo-users
mailing list