[sudo-users] Request for feedback: regular expressions in sudoers

Todd C. Miller Todd.Miller at courtesan.com
Tue Dec 11 13:18:33 EST 2012

I'm planning to include support for regular expression matching of
commands in the next sudo release.  This is something I've wanted
to do for over ten years.  Most likely this would use the pcre
library to support perl-compatible regular expressions.

One of the main stumbling blocks has been the matter of how to
specify the regex in the sudoers file.  There are two options I've
been thinking about, but perhaps you all come up with better ones.

Option 1:

    Precede the regular expression with an 'm' like perl does where
    the character after the 'm' is the quote character that begins
    and ends the expression.  E.g.

	millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
	    !/usr/bin/passwd root

    This is flexible but more difficult to parse since we don't
    know what the quote character is until we start parsing.

Option 2:

    Require that regular expressions start with a ^ and end with a $

	millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
	    !/usr/bin/passwd root

    In this case we forgo the quote character entirely and require
    that the expression be anchored with ^ and $.

Advantages of Option 1:

    o similar to perl's 'm' (match) operator.

    o can support partial matches (the ^ and $ are optional).

    o can support multiline matches (where ^ and $ match the end
      of the line, not the end of the expression); doesn't useful
      in practice.

Advantages of Option 2:

    o easier to parse; we know we are looking for a '$' to end the

    o potentially less error prone as all expressions require '^'
      and '$' anchors.

    o could conceivably use regex for hostnames; no ambiguity between
      m... and a hostname that begins with the letter m.


 - todd

More information about the sudo-users mailing list