[sudo-users] Request for feedback: regular expressions in sudoers
Patrick Spinler
spinler.patrick at mayo.edu
Tue Dec 11 14:26:18 EST 2012
FWIW, I'd prefer option 1.
I can definitely see using '$' in its meaning of 'end of input I'm
trying to match'. Could be useful to insure that extra arguments aren't
included to a sudo'd command. "Only this, and nothing appended".
e.g.
m^/usr/local/bin/some_script \w+$
should limit some_Script to be called with a single argument.
However,
^/usr/local/bin/some_script \w+$
Might allow a user to do "sudo some_script arg1 security_hole_arg2 ..."
Granted, the script / program, whatever should be able to handle this
case gracefully, but still, belt and suspenders, you know?
-- Pat
On 12/11/12 12:18 PM, Todd C. Miller wrote:
> I'm planning to include support for regular expression matching of
> commands in the next sudo release. This is something I've wanted
> to do for over ten years. Most likely this would use the pcre
> library to support perl-compatible regular expressions.
>
> One of the main stumbling blocks has been the matter of how to
> specify the regex in the sudoers file. There are two options I've
> been thinking about, but perhaps you all come up with better ones.
>
> Option 1:
>
> Precede the regular expression with an 'm' like perl does where
> the character after the 'm' is the quote character that begins
> and ends the expression. E.g.
>
> millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
> !/usr/bin/passwd root
>
> This is flexible but more difficult to parse since we don't
> know what the quote character is until we start parsing.
>
> Option 2:
>
> Require that regular expressions start with a ^ and end with a $
>
> millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
> !/usr/bin/passwd root
>
> In this case we forgo the quote character entirely and require
> that the expression be anchored with ^ and $.
>
> Advantages of Option 1:
>
> o similar to perl's 'm' (match) operator.
>
> o can support partial matches (the ^ and $ are optional).
>
> o can support multiline matches (where ^ and $ match the end
> of the line, not the end of the expression); doesn't useful
> in practice.
>
> Advantages of Option 2:
>
> o easier to parse; we know we are looking for a '$' to end the
> regex.
>
> o potentially less error prone as all expressions require '^'
> and '$' anchors.
>
> o could conceivably use regex for hostnames; no ambiguity between
> m... and a hostname that begins with the letter m.
>
> Thoughts?
>
> - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list