[sudo-users] Request for feedback: regular expressions in sudoers
Todd C. Miller
Todd.Miller at courtesan.com
Tue Dec 11 16:26:53 EST 2012
On Tue, 11 Dec 2012 13:26:18 CST, Patrick Spinler wrote:
> I can definitely see using '$' in its meaning of 'end of input I'm
> trying to match'. Could be useful to insure that extra arguments aren't
> included to a sudo'd command. "Only this, and nothing appended".
I guess I wasn't clear in my original message but the traditional
meaning of '^' and '$' is the same for both options.
What this means is that for option 2 you need to use ".*" to match
any characters not explicitly matched by the patten.
> e.g.
>
> m^/usr/local/bin/some_script \w+$
>
> should limit some_Script to be called with a single argument.
Actually, it would need to be something like:
m:^/usr/local/bin/some_script \w+$:
> However,
>
> ^/usr/local/bin/some_script \w+$
>
> Might allow a user to do "sudo some_script arg1 security_hole_arg2 ..."
No, the two are equivalent since '$' is not only signifies the end
of the pattern but also must match the end of input.
- todd
More information about the sudo-users
mailing list