[sudo-users] Request for feedback: regular expressions in sudoers

Todd C. Miller Todd.Miller at courtesan.com
Tue Dec 11 16:26:53 EST 2012

On Tue, 11 Dec 2012 13:26:18 CST, Patrick Spinler wrote:

> I can definitely see using '$' in its meaning of 'end of input I'm
> trying to match'.  Could be useful to insure that extra arguments aren't
> included to a sudo'd command.  "Only this, and nothing appended".

I guess I wasn't clear in my original message but the traditional
meaning of '^' and '$' is the same for both options.

What this means is that for option 2 you need to use ".*" to match
any characters not explicitly matched by the patten.

> e.g.
>   m^/usr/local/bin/some_script \w+$
> should limit some_Script to be called with a single argument.

Actually, it would need to be something like:

    m:^/usr/local/bin/some_script \w+$:

> However,
>   ^/usr/local/bin/some_script \w+$
> Might allow a user to do "sudo some_script arg1 security_hole_arg2 ..."

No, the two are equivalent since '$' is not only signifies the end
of the pattern but also must match the end of input.

 - todd

More information about the sudo-users mailing list