[sudo-users] Request for feedback: regular expressions in sudoers
spinler.patrick at mayo.edu
Tue Dec 11 14:26:18 EST 2012
FWIW, I'd prefer option 1.
I can definitely see using '$' in its meaning of 'end of input I'm
trying to match'. Could be useful to insure that extra arguments aren't
included to a sudo'd command. "Only this, and nothing appended".
should limit some_Script to be called with a single argument.
Might allow a user to do "sudo some_script arg1 security_hole_arg2 ..."
Granted, the script / program, whatever should be able to handle this
case gracefully, but still, belt and suspenders, you know?
On 12/11/12 12:18 PM, Todd C. Miller wrote:
> I'm planning to include support for regular expression matching of
> commands in the next sudo release. This is something I've wanted
> to do for over ten years. Most likely this would use the pcre
> library to support perl-compatible regular expressions.
> One of the main stumbling blocks has been the matter of how to
> specify the regex in the sudoers file. There are two options I've
> been thinking about, but perhaps you all come up with better ones.
> Option 1:
> Precede the regular expression with an 'm' like perl does where
> the character after the 'm' is the quote character that begins
> and ends the expression. E.g.
> millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
> !/usr/bin/passwd root
> This is flexible but more difficult to parse since we don't
> know what the quote character is until we start parsing.
> Option 2:
> Require that regular expressions start with a ^ and end with a $
> millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
> !/usr/bin/passwd root
> In this case we forgo the quote character entirely and require
> that the expression be anchored with ^ and $.
> Advantages of Option 1:
> o similar to perl's 'm' (match) operator.
> o can support partial matches (the ^ and $ are optional).
> o can support multiline matches (where ^ and $ match the end
> of the line, not the end of the expression); doesn't useful
> in practice.
> Advantages of Option 2:
> o easier to parse; we know we are looking for a '$' to end the
> o potentially less error prone as all expressions require '^'
> and '$' anchors.
> o could conceivably use regex for hostnames; no ambiguity between
> m... and a hostname that begins with the letter m.
> - todd
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users