[sudo-users] Request for feedback: regular expressions in sudoers

Patrick Spinler spinler.patrick at mayo.edu
Tue Dec 11 14:26:18 EST 2012


FWIW, I'd prefer option 1.

I can definitely see using '$' in its meaning of 'end of input I'm
trying to match'.  Could be useful to insure that extra arguments aren't
included to a sudo'd command.  "Only this, and nothing appended".

e.g.

  m^/usr/local/bin/some_script \w+$

should limit some_Script to be called with a single argument.

However,

  ^/usr/local/bin/some_script \w+$

Might allow a user to do "sudo some_script arg1 security_hole_arg2 ..."

Granted, the script / program, whatever should be able to handle this
case gracefully, but still, belt and suspenders, you know?

-- Pat

On 12/11/12 12:18 PM, Todd C. Miller wrote:
> I'm planning to include support for regular expression matching of
> commands in the next sudo release.  This is something I've wanted
> to do for over ten years.  Most likely this would use the pcre
> library to support perl-compatible regular expressions.
> 
> One of the main stumbling blocks has been the matter of how to
> specify the regex in the sudoers file.  There are two options I've
> been thinking about, but perhaps you all come up with better ones.
> 
> Option 1:
> 
>     Precede the regular expression with an 'm' like perl does where
>     the character after the 'm' is the quote character that begins
>     and ends the expression.  E.g.
> 
> 	millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
> 	    !/usr/bin/passwd root
> 
>     This is flexible but more difficult to parse since we don't
>     know what the quote character is until we start parsing.
> 
> Option 2:
> 
>     Require that regular expressions start with a ^ and end with a $
> 
> 	millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
> 	    !/usr/bin/passwd root
> 
>     In this case we forgo the quote character entirely and require
>     that the expression be anchored with ^ and $.
> 
> Advantages of Option 1:
> 
>     o similar to perl's 'm' (match) operator.
> 
>     o can support partial matches (the ^ and $ are optional).
> 
>     o can support multiline matches (where ^ and $ match the end
>       of the line, not the end of the expression); doesn't useful
>       in practice.
> 
> Advantages of Option 2:
> 
>     o easier to parse; we know we are looking for a '$' to end the
>       regex.
> 
>     o potentially less error prone as all expressions require '^'
>       and '$' anchors.
> 
>     o could conceivably use regex for hostnames; no ambiguity between
>       m... and a hostname that begins with the letter m.
> 
> Thoughts?
> 
>  - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 



More information about the sudo-users mailing list